🔒 Practical implications following the EU Commission's adequacy decision for the EU-U.S. Data Privacy Framework 🔒
📅 On 10 July 2023, the European Commission adopted its adequacy decision on the EU-U.S. DPF, but what does this mean operationally for transfers from the EU to organizations in the U.S.?
✉️ Transfers of personal data can now be made to U.S. organizations certified as EU-U.S. DPF participants without needing appropriate safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
🏢 To join the DPF, U.S. organizations must be eligible to participate and must certify their compliance with the DPF’s underlying privacy principles, including adopting a DPF-compliant privacy policy. Self-certification can be done via the DPF website, but certification is not active until it has been granted by the U.S. Department of Commerce (DoC).
📜 The DoC confirmed that active Privacy Shield participants may immediately rely on the EU-U.S. DPF. Such organizations are required to update their privacy notices to reflect reliance on the EU-U.S. DPF and its principles by 10 October 2023. Organizations that do not wish to comply with the EU-U.S. DPF principles must complete a withdrawal process.
🛡️ Transfers to U.S.-based organizations that are not EU-U.S. DPF participants cannot be based on the adequacy decision. Such transfers will still require appropriate safeguards such as SCCs (including transfer impact assessments) or BCRs.
🇬🇧🇨🇭 The EU adequacy decision does not benefit the UK or Switzerland. The UK recently reiterated its commitment to a UK-U.S. Data Bridge, but until it reaches an adequacy decision, transfers from the UK/Gibraltar to the U.S. still need an IDTA or UK Addendum to the SCCs. The same applies to Switzerland. Adequacy decisions from both are expected soon.
🏛️ The EU-U.S. DPF marks a significant step forward, but for how long before a further legal challenge is mounted?