On July 10, 2023, Commissioner Reynders announced the adoption by the EU Commission of a new adequacy decision (the “Decision”) on the EU-US Data Privacy Framework (the “Framework” or “DPF”), a new framework developed after the invalidation of the Privacy Shield by the European Court of Justice.
The Decision concludes that the
United States ensures an adequate level of protection for personal data transferred from the Union to organizations in the United States that are included in the Data Privacy Framework List.
This means, in other words, that the standards of personal data protection issued by the US Department of Commerce and included in the DPF are “essentially equivalent” to those guaranteed by the GDPR.
This also means that personal data can now flow from the EU to US organizations that meet the privacy principles of the DPF and are included in the relevant List without the need for any additional measures.
The DPF is based on a certification system.
US organizations that wish to be certified and included in the DPF List need to meet the privacy principles outlined in the DPF and be subject to the investigatory and enforcement powers of the Federal Trade Commission.
Organizations must re-certify on an annual basis.
The framework also addresses and regulates the access to and use of personal data transferred from the EU by public authorities in the US, the topic that led, among others, to the invalidation of the Privacy Shield by the European Court of Justice.
Organizations are required to provide the following information to individuals:
All the above information must be provided to individuals in clear and conspicuous language.
The information must be made available to individuals when personal information is first collected or as soon as possible. In any case, before the information is used for a purpose different from that for which it was originally collected or processed by the transferring organization, or it is disclosed for the first time to a third party.
Organizations must allow individuals to opt out (opt-in for sensitive information) of the:
Under the DPF, organizations are subject to strict requirements before transferring personal data to a third party (e.g., ensuring that the transfer occurs only for limited and specified purposes and the third party provides at least the same level of privacy protection and processes personal information consistently with the Principles).
The organization remains liable for how data is processed by the third party.
Organizations are required to grant the security of the information they receive.
Organizations are not allowed to process personal information for purposes that are not compatible with the purposes for which it was collected or those authorized by the individual.
Under the Integrity Principle, organizations must ensure that personal data is reliable for its intended use, accurate, complete, and current.
The DPF, save for minor limitations, grants individuals the right to access their personal information.
The Principle also entails the individuals’ right to correct, amend, or delete their information where it is inaccurate or has been processed in violation of the Principles.
This Principle ensures the effectiveness of the Framework by setting up mechanisms that assure compliance with the Principles, recourses for individuals who are affected by non-compliance, and that organizations are held liable when the Principles are not followed.
The Principle also includes follow-up checks to verify that what organizations state about their privacy practices is true and implemented.
US organizations that wish to become part of the Framework must submit a self-certification on the Department of Commerce’s dedicated website (link).
DPF’s benefits operate from the moment in which the organization is added to the Data Privacy Framework List.
The self-certification or subsequent re-certification (on an annual basis) must be submitted by a corporate officer and include, among others, the following:
Following the Decision and in line with the DPF’s standards, all organizations that wish to be part of the Framework are required to update their privacy policies to include mandatory disclosures under the Notice Principle.