On 10 July 2023, the EU reached a deal with the US on how to better protect the privacy of personal data belonging to EU residents when their data gets transferred across the Atlantic. After years of discussions, and countless fines against Meta, Google and other big tech companies for violating GDPR rules, will this new framework be the “get out of jail free card” big tech companies have been waiting for?  

First, let us get into the nitty-gritty details behind the framework. 

1. The EC adopted its adequacy decision for the EU-US Data Privacy Framework (“DPF”) on 10 July 2023. An adequacy decision is a GDPR provision which allows the transfer of personal data from the EU to third countries which, after an assessment by the EC, offer a comparable level of protection of personal data to that of the EU.  

1. The adequacy decision means that the EU has recognised that the US ensures an adequate level of protection, compared to that of the EU, for personal data transferred from the EU to US companies participating in the EU-US DPF.  

1. Where an adequacy decision has been made, personal data can flow freely and safely from the European Economic Area (“EEA”) to a third country without being subject to further conditions and requirements. In other words, transfers to a third country can be handled in the same way as intra-EU transmissions of data. 

1. What is the impact of the decision on EU-US data transfers?  

1. Private or public entities in the EEA can transfer personal data to US companies participating in the EU-US DPF without putting additional data protection safeguards in place.  

What are the key principles behind the framework?  

• EU citizens have been given additional rights which include the ability to obtain access to their data or to obtain correction or deletion of incorrect or unlawfully handled data where it has been transferred to participating US companies.  

• Offers new redress mechanisms for EU citizens if their data is mishandled. This includes free-of-charge independent dispute resolution mechanisms and an arbitration panel. 
• Includes safeguards to limit access to data by US intelligence authorities to only what is necessary and proportionate to protect national security. 
• Provides for enhanced oversight of US intelligence service activities to ensure compliance with the safeguards. 
• An independent and impartial redress mechanism, which includes a Data Protection Review Court, to investigate and resolve complaints regarding personal data access by US national security authorities.  
• Companies processing data transferred from the EU must self-certify that they adhere to the standards through the US Department of Commerce.  

How do US companies self-certify their participation in the EU-US DPF? 

• To join the DPF, an organization must develop a conforming privacy policy, identify an independent recourse mechanism and self-certify on https://www.dataprivacyframework.gov/s/. 
• Companies must commit to comply with a detailed set of privacy obligations such as purpose limitation, data minimization, data retention and specific obligations concerning data security and the sharing of data with third parties. 
• The US Department of Commerce will process applications for certification and monitor whether companies who choose to certify continue to meet the requirements. 
• The US Federal Trade Commission will enforce compliance under this framework.  

What about the UK? 

The DPF only applies to personal data that is subject to EU GDPR, therefore it does not apply under the UK Data Protection Act. However, in June 2023, the UK and the US agreed to establish a UK Extension to the Data Privacy Framework. This extension will create a data bridge between the US and the UK which will facilitate the free flow of personal data between the two countries.  

PoV: 

This new framework will make it easier for companies to transfer personal data from the EU to the US and as more US companies certify their participation in the DPF, this will likely increase the number of cross-border promotions between the EU and US!