• 11.07.23
  • Reading time: 3 Minuten

DATA PRIVACY FRAMEWORK (DPF)New adequacy decision for secure data tranfer between the EU und the USA

The European Commission adopted an adequacy decision for the EU-U.S. data protection framework on 10/07/2023 in the third attempt. This means that EU companies can now transfer personal data to data importers in the U.S. who certify compliance with the DPF principles, without the need for further approvals or additional measures (e.g., SCC and BCR).

Background

If the Commission decides that a third country (territory or sector) has an adequate level of protection, then the third country transfer is readily permitted.

For the U.S., the Commission issued two adequacy decisions prior to the entry into force of the GDPR: the Safe Harbor decision of June 26, 2000, which was invalidated by the ECJ on October 6, 2015 (Schrems I), and the Privacy Shield of 12.06.2016, which was also declared invalid by the ECJ on 16.07.2020 (Schrems II).

In both cases, the ECJ found that surveillance by U.S. authorities of EU citizens whose personal data had been transferred to the U.S. was not compatible with EU law. Another problem, he said, is the lack of effective law enforcement mechanisms for EU citizens in the United States.

Since July 2020, companies have had to transfer data to the U.S. subject to appropriate safeguards.

The Data Privacy Framework (DPF)

On May 23, 2022, the European Commission and the United States announced that they had agreed in principle on a new Transatlantic Privacy Framework and had also ensured that the concerns expressed by the ECJ in Schrems II would be addressed.

Yesterday, the adequacy decision finally went into effect.

Effects for companies

  • This is still a self-certification mechanism: data importers in the US must self-certify their compliance with the DPF principles.
  • It remains unclear what will happen to companies already certified under the Privacy Shield – whether new certification will be required or whether recertification will be possible.
  • Necessary information is provided on https://www.dataprivacyframework.gov/s/. Currently, the website is still under construction and visitors are redirected to the Privacy Shield website.
  • Data exporters in the EU must first ensure that the data recipient in the U.S. is already DPF-certified before any data transfer based on the new adequacy decision takes place.
  • A data transfer impact assessment will no longer be required for third country transfers based on the DPF. However, if the data importer is not DPF-certified, then conducting a data transfer impact assessment remains necessary.
  • Data protection declarations must be updated.

Your personal contact

Matthias SchulzSenior Sales Manager

You might also be interested in these articles

it-sicherheit
Compliance & Dataprotection
How legal departments reduce daily stress
November 15, 2024
Learn more
Datenschutz
Compliance & Dataprotection
How legal departments reduce daily stress
November 8, 2024
Learn more

Would you like to stay up to date with the latest developments?Subscribe to our newsletter here.