The EU-U.S. Data Privacy Framework (DPF): What Does It Mean for You?

If your business transfers data from the European Union to the United States, you’ve likely been keeping an eye on the EU-U.S. Data Privacy Framework (EU-U.S. DPF) for the past several years. The long-awaited adequacy decision regarding the EU-U.S. DPF was recently announced by the EU Commission, paving the way for data transfers from the highly regulated EU to the U.S.  

Despite the numerous state privacy laws active in the U.S., EU citizens’ data doesn’t receive the same level of protection as it does in the EU. Under the EU General Data Protection Regulation (GDPR), the EU restricts the transfer of data to countries without appropriate levels of data protection comparable to the EU. Adequacy decisions are the mechanism the EU uses to determine if countries have an appropriate level of data protection.  

 Essentially, the adequacy decision for the EU-U.S. DPF provides U.S. organizations with a way to transfer personal data while ensuring data protection consistent with EU law. It’s worth noting that this is the third attempt by the United States to gain data transfer approval from the EU after the Safe Harbor Framework and EU-U.S. Privacy Shield were invalidated.    

A Brief Background on Trans-Atlantic Data Privacy Frameworks 

Given the global scale of business these days, the need to transfer data across borders is pretty commonplace. In 2000, the Safe Harbor Agreement was put into place to govern such data exchanges and comply with EU law. The Safe Harbor Agreement laid out seven key principles with regard to notice, choice, transfer, security, data integrity, access, and enforcement.  

However, data privacy advocate Max Schrems challenged Facebook in a landmark legal case that ended with the European Court of Justice (ECJ) invalidating the Safe Harbor Agreement.  

Schrems argued that the data privacy rights afforded to him in Europe were not being upheld by Facebook, which transferred his data to the U.S. The case (referred to as Schrems I) was moved to Ireland and then sent to the ECJ, which ruled in Schrems’s favor in 2015.      

As Schrems was challenging Safe Harbor Agreement, Edward Snowden leaked classified NSA documents that shed light on the U.S. government’s surveillance practices. In part, the revelations regarding the U.S. intelligence community’s broad access to data would contribute to the legal difficulties of establishing a transatlantic data transfer framework that met the GDPR’s standards. 

Just because Safe Harbor Agreement had been invalidated didn’t mean data transfers didn’t need to take place. A moratorium was accepted until a new framework known as the Privacy Shield was introduced in July 2016. The new framework replaced the Safe Harbor Agreement as a way to facilitate transfers.  

 Also known as “Safe Harbor 2.0,” the framework quickly gained criticism, including by Schrems. Roughly around this time, Schrems had founded the data privacy advocacy group NOYB (or, “None of Your Business,”) which has become an influential EU organization focused on protecting privacy rights.  

Schrems and NOYB again filed suit, alleging that the new framework did not sufficiently protect personal data. In July 2020, the EU-U.S. Privacy Shield was invalidated in a decision that would become known as Schrems II. There were and are still a variety of mechanisms for international data transfers, but they present more legal risk for the companies engaged in them (such as standard contractual clauses) or only apply to specific scenarios (such as binding corporate rules). 

Hoping that the third time would be the charm, President Biden and the EU President Ursula von der Leyen agreed to the draft EU-U.S. Data Privacy Framework In March 2022, and President Biden issued an executive order that strengthened safeguards for signals intelligence activities. This was a key upgrade and addressed one of the major criticisms of the previous two transatlantic data privacy frameworks. 

On July 10, 2023, the European Commission announced that it would adopt the new framework, providing more robust legal grounds for transcontinental data transfers between the EU and the U.S.   

What is the EU-U.S. Data Privacy Framework? 

The approved framework has a number of safeguards to help ensure the data of EU citizens is protected, including against unwanted access by U.S. authorities. The framework holds national surveillance agencies to more stringent standards for data access, and subjects have redress mechanisms for noncompliance.   

There are nuances to consider, but at a high level, the seven core principles of the DPF are as follows:  

1. Notice: Those transferring data must provide notice with certain details about their rights, such as types of data collected, purposes for collection, contact information for inquiries and complaints, whether they disclose personal information to third parties and purposes, their rights to access, and others in clear language. 
2. Choice: Consumers must be given the choice to opt out of disclosure of personal information to a third-party controller or to the use of their personal information for a different purpose than the reason for its collection. For sensitive information, data subjects must provide opt-in consent.  
3. Accountability for onward transfers: Companies must comply with certain terms if they transfer personal data to a third party. 
4. Security: Those who collect or control personal data must take “reasonable and appropriate” measures to protect personal information.  
5. Data integrity and purpose limitation: In general, companies can only use and retain information for the purpose in which it has been collected. 
6. Access: Participating countries must allow individuals to access their personal data, and in most cases, they must also allow them to correct, amend, or delete information deemed inaccurate.  
7. Recourse, enforcement and liability: The DPF requires participants to provide a “readily available independent recourse mechanism to hear individual complaints at no cost to the individual.” 

In addition, organizations must cooperate with the U.S. Department of Commerce and respond to inquiries by the International Trade Administration (ITA).  

 There are 16 equally binding supplemental principles that explain and augment those seven privacy principles. More details and frequently asked questions are available on the Data Privacy Framework website. 

What Does This Mean for Businesses?  

U.S. businesses can self-certify their compliance and commit to comply with DPF principles. While the program is voluntary, “compliance upon self-certification is compulsory,” the Data Privacy Framework website states. “Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under U.S. law.” 

It’s important to note that only U.S. legal entities that are subject to the jurisdiction of the Federal Trade Commission or U.S. Department of Transportation are eligible to participate in the DPF program. Both federal organizations have committed to enforcing the EU-U.S. DPF. 

Before self-certification, businesses must create a DPF-compliant privacy policy that conforms to DPF principles, includes a link to the DPF program website, and is publicly available. 

Will the EU-U.S. DPF Be a Permanent Solution?  

The victory of the agreement may be short lived and will definitely face legal challenges, as NOYB has said it will challenge the decision.  

The agreement will likely be “back at the Court of Justice (CJEU) in a matter of months. The allegedly ‘new’ Trans-Atlantic Data Privacy Framework is largely a copy of the failed ‘Privacy Shield,’” a press release on the NOYB website states.   

If it survives legal challenges, the EU will review the DPF within a year and could amend it at any time. Some will self-certify and add a clause for what to do if the DPF is later invalidated.  

In the meantime, businesses seeking to transfer data between the EU and U.S. have little choice but to adhere to the DPF and/or evaluate whether standard contractual clauses are appropriate for their organization.