FAQs – EU-U.S. Data Privacy Framework Updates (1-4)FAQs – EU-U.S. Data Privacy Framework
Last updated: January 11, 2023
Q1: What is the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and what does it mean for the future of the EU-U.S. Privacy Shield?
Q2: How will the new EU-U.S. DPF amend the privacy principles that organizations adhere to under the EU-U.S. Privacy Shield Framework?
Q3: When will the EU-U.S. DPF Principles enter into effect?
Q4: Is there a delay or moratorium on enforcement by EU data protection authorities?
See EU-U.S. Data Privacy Framework Updates FAQs 5-7
Q1: What is the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and what does it mean for the future of the EU-U.S. Privacy Shield?
- On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment, known as the Schrems II decision, which declared as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of the Schrems II decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
- On October 7, 2022 President Biden signed Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities” (the Executive Order). Following the signing of the Executive Order, U.S. Secretary of Commerce Gina Raimondo issued a statement on its implementation of the EU-U.S. DPF. The Executive Order and related regulations governing the new Data Protection Review Court (DPRC) implement U.S. commitments under the EU-U.S. DPF. These commitments fully address the concerns raised by the CJEU in its Schrems II decision. The EU-U.S. DPF will also amend the privacy principles that organizations adhere to under the EU-U.S. Privacy Shield Framework as the “EU-U.S. Data Privacy Framework Principles” (EU-U.S. DPF Principles).
- The EU-U.S. DPF will provide the European Commission with the basis to adopt a new adequacy decision, which would affirm that the strengthened safeguards in U.S. law on signals intelligence activities, new redress mechanism, and the amended privacy principles under the EU-U.S. DPF meet EU legal requirements. When the European Commission adopts its new adequacy decision, participating organizations will be able to use the EU-U.S. DPF Principles to transfer EU personal data to the United States in compliance with EU law. The new safeguards for signals intelligence will also benefit organizations transferring data on the basis of other tools, such as Standard Contractual Clauses and Binding Corporate Rules.
- For help determining the most appropriate data transfer mechanism for an organization, please contact the appropriate European national data protection authority or legal counsel.
Q2: How will the new EU-U.S. DPF amend the privacy principles that organizations adhere to under the EU-U.S. Privacy Shield Framework?
- It is important to note that the CJEU’s Schrems II decision was focused solely on government access to data. The CJEU did not question the protections that the EU-U.S. Privacy Shield offered EU individuals in the commercial sphere. The U.S. commitments under the EU-U.S. DPF regarding signals intelligence are included in the Executive Order and regulations governing the new DPRC.
- The EU-U.S. DPF will amend the privacy principles that organizations adhere to under the EU-U.S. Privacy Shield Framework as the “EU-U.S. Data Privacy Framework Principles” (EU-U.S. DPF Principles). However, the EU-U.S. DPF will not create new substantive obligations for participating organizations with regards to protecting EU personal data. The privacy principles and the process to self-certify and re-certify annually will remain substantively the same. Participating organizations will continue to be required to adhere to the privacy principles as amended under the EU-U.S. DPF, including the requirement to self-certify through the U.S. Department of Commerce.
Q3: When will the EU-U.S. DPF Principles enter into effect?
- The effective date of the EU-U.S. DPF Principles is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF.
- The EU-U.S. Privacy Shield Framework Principles will be amended as the “EU-U.S. Data Privacy Framework Principles” under the EU-U.S. DPF.
- Organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles and wish to enjoy the benefits of participating in the EU-U.S. DPF must comply with the EU-U.S. DPF Principles once those enter into effect. Such compliance includes updating their privacy policies to, among other things, refer instead to their commitment to comply with the “EU-U.S. Data Privacy Framework Principles”. Such organizations shall include this reference within three months of the effective date for the EU-U.S. DPF Principles (i.e., as soon as possible after the effective date for the EU-U.S. DPF Principles, but no later than three months after that effective date). This three-month window applicable to all such organizations would not extend the time a given organization has in which to re-certify (i.e., the updating and renaming of the privacy principles under the EU-U.S. DPF would not change an organization’s re-certification due date).
- Organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles, but do not wish to enjoy the benefits of participating in the EU-U.S. DPF, must complete the withdrawal process described in Q7 on the next page.
- Organizations making an initial self-certification after the effective date for the EU-U.S. DPF Principles must comply with the EU-U.S. DPF Principles upon self-certification.
- The U.S. Department of Commerce will continue to provide timely updates on the status of the European Commission’s adequacy decision for the EU-U.S. DPF as a basis for transfers of EU personal data to the United States and will make the text of the EU-U.S. DPF Principles publicly accessible at an appropriate time before the effective date for the EU-U.S. DPF Principles. The Department will also issue additional, related guidance in the future.
Q4: Is there a delay or moratorium on enforcement by EU data protection authorities?
- On July 17, 2020, the European Data Protection Board (EDPB), which is an independent European body that contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities, issued a statement noting, among other things, that “The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.”
- On July 23, 2020, the EDPB adopted guidance to a set of frequently asked questions on the July 16, 2020 decision by the CJEU noting, among other things, that there is no grace period during which an organization can keep on transferring data to the United States without assessing its legal basis for the transfer.
- The U.S. Department of Commerce has been and will remain in close contact with the EDPB on this matter.
- If you have questions, please contact the appropriate European national data protection authority or legal counsel
See EU-U.S. Data Privacy Framework Updates FAQs 5-7