Helping Clients Navigate The
Dynamic Area Of The DPF For EU-U.S. Data Transfers
The EU-US Data Privacy Framework (DPF) is the latest development in a saga that has now been spanning decades aimed at reconciling and streamlining cross-border data transfers from the European Union (EU) to the United States (US) (with the relevant Swiss DPF and UK Extension). The storied history of data transfer mechanisms and the invalidation of each, ranging from the Safe Harbor to the Privacy Shield, including the role of Max Schrems’ NGO called NYOB and the eponymous Schrems II decision, has caused much tumult and resource expenditure among many organizations.
The DPF is an adequacy decision that concludes that the US provides a “level of protection essentially equivalent” to that of the EU for personal data transferred to certified organizations in the US. Underpinning the DPF are several principles organizations must adhere to to attain and maintain certification, including notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access and recourse, enforcement, and liability. Further, redress also plays a leading role under the DPF. Specifically, redress aims to ensure that US intelligence activities are “necessary and proportionate in the pursuit of defined national security objectives.” As part of this, establishing an adjudicating function called the Data Protection Review Court (DPRC) will allow residents of the EU to initiate a process whereby the DPRC may instruct the relevant intelligence agencies to take remedial actions. In line with the redress process, the European Data Protection Board (EDPB) has published procedural rules regarding how complaints are to be handled under the redress system, including the Rules of Procedure, the Information Note, and the Complaint Template.
With so many previous iterations of data transfer mechanisms invalidated and further challenges in the offing, the DPF’s future is uncertain. There are encouraging signs that the DPF is here to stay for now, with the European Commission publishing its first review of the adequacy decision after its first year in force.
RICHT is at the forefront of this dynamic area and is focused on helping clients stay ahead of the ever-evolving privacy regulatory landscape with international data transfers and the DPF.
Data Privacy Framework (DPF) Law Services We Offer
Data Privacy Framework (DPF) Certification
Other Data Transfer Mechanism Implementation
Ongoing Data Privacy Framework (DPF) Compliance
“Transatlantic data flows are critical to enabling the $7.1
Source: Executive Order to Implement the European Union-U.S. Data Privacy Framework
trillion EU-U.S. economic relationship. The EU-U.S. DPF
will restore an important legal basis for transatlantic data
flows by addressing concerns that the Court of Justice of
the European Union raised in striking down the prior EUU.S. Privacy Shield framework as a valid data transfer mechanism under EU law.”
Resources
- International: UK-US data bridge, an extension to the EU-US DPF
- Webinar – The Finalization of the UK-U.S. Data Bridge
Update: Transfers Under the Swiss-U.S. Data Privacy Framework
The Swiss Federal Council has added the U.S. to the list of countries with an adequate level of data protection. Effective September 15, 2024, U.S. organizations that certify to the Swiss–U.S. Data Privacy Framework (DPF) can commence receiving transfers of personal data from Switzerland without implementing additional safeguards.
Implementing Transatlantic Transfers
This chart outlines the key changes and requirements for U.S. organizations participating in the Data Privacy Framework, whether they are transitioning from the Privacy Shield or newly self-certifying, and for EU organizations transferring data to U.S. organizations, including to U.S. organizations not certified to the Data Privacy Framework.
Questions & Answers: EU-US Data Privacy Framework
FAQs from the European Commission outlining the new EU-US Data Privacy Framework and answering some common questions.
