New US-EU Privacy Regulations (What Has Changed?)
With the launch of the EU-US Data Privacy Framework (EU-U.S. DPF), the newest iteration of mechanisms to facilitate transatlantic data flow comes to fruition. To participate in the program, U.S. companies will have to self-certify their compliance with EU-U.S. DPF principles. These principles help to bridge the gap between US data privacy and GDPR. In addition to commitments US companies will have to make, the framework also commits the US government to limit the access of data of EU individuals to US intelligence services. The EU-U.S. DPF also establishes a Data Protection Review Court (DPRC) which will be able to provide EU individuals with redress against privacy rights violations committed by U.S. companies or U.S. agencies. These are binding remedial measures as detailed in the EU-U.S. DPF. Of course, this is far from the first bite at the apple to create a cross-jurisdictional data privacy framework, so those subject to or benefitting from this framework should be cautious as these agreements have proven themselves delicate in the past.
The EU-US DPF replaces the EU-US Privacy Shield which was ruled invalid by the European Court of Justice (ECJ) on July 16th, 2020. Privacy Shield itself replaced the International Safe Harbor Privacy Principles after they were declared invalid by the ECJ in October 2016. History shows that while there is an appetite to ease commerce across the Atlantic by bridging the gap in data privacy protections, these frameworks have not been stable and can be affected by shifting political winds and differing geopolitical goals.
With the European Commission giving its approval for EU-U.S. DPF there is hope that the efforts the U.S. government has made to remedy the concerns the ECJ had with Privacy Shield will be sufficient to fend off another data privacy framework from being struck down by the ECJ. Key among these efforts have been changes to how the intelligence community handles EU individual data and the new redress mechanisms introduced with the DPRC. Companies previously certified under Privacy Shield will have until October 17th, 2023, to update their privacy policies to reflect compliance with the DPF to maintain their certification. These organizations may rely on the DPF immediately to receive personal data transfers of EU individuals. Organizations that have not maintained their certification under Privacy Shield can begin the process of self-certification online through a tool provided by the Department of Commerce. These organizations will be expected to provide details about their privacy policy, reasons for EU data transfers, and reporting mechanisms among other details. U.S. regulatory agencies including the FTC are expected to enforce the DPF aggressively to demonstrate to the European Commission and ECJ that the framework works to avoid another unfavorable ruling that would invalidate this framework as well.
There are expected to be legal challenges to this framework in the near future, but players on both sides of the Atlantic have expressed confidence in the framework surviving these legal challenges. Looking ahead, and presuming the DPF survives legal challenge, there are ongoing discussions about EU-U.S. data transfer mechanisms for specific industries that have been left out of the DPF, such as finance and healthcare.
Could you use some help keeping up with privacy in your business? At CyberData Pros, we understand the complexities of data privacy and can guide your business through this challenging landscape. Our proven track record in protecting our clients’ data speaks volumes about our commitment to privacy. Get in touch with us today for a free consultation.