Data Privacy Framework: the end of the road?
The Data Privacy Framework, the end of the road? Several years have passed since the Court of Justice of the European Union (CJEU) invalidated on 16 July 2020 the then current privacy agreement for international transfers of personal data between the European Union and the United States (Privacy Shield).
During all this time, companies have had to look for other security measures in order to operate normally on both sides of the Atlantic, mainly based on the European Commission’s Standard Contractual Clauses (SCC) or other measures such as, for example, the Binding Corporate Rules (BCRs).
With the approval on 10 July of the Data Privacy Framework (DPF), it seems that the European Union and the United States have found common ground in facilitating the flow of personal data between the two territories.
What is the Data Privacy Framework?
The Data Privacy Framework (DPF) is the new privacy agreement between the European Union and the United States regarding international transfers of personal data.
However, the Court of Justice of the European Union (CJEU) annulled the Privacy Shield because it considered that the United States did not provide adequate safeguards for the processing of EU citizens’ personal data.
What changes does de DPF bring?
The Data Privacy Framework introduces new binding protection mechanisms that will serve to address all the concerns that flooded the CJEU and shield the claimed privacy.
Agreeing on decisions limiting access to data by US intelligence services to that which is strictly necessary for the fulfilment of certain purposes and providing EU citizens with remedies and avenues against the improper handling of their data by US companies, among others.
The new framework concludes with the decision that the US ensures an adequate level of protection, comparable to that which exists in the EU, for the international transfer of personal data, providing legal certainty to both citizens and businesses on both sides of the Atlantic, including a requirement to erase personal data when it is no longer necessary for the purpose for which it was collected.
Also including a number of safeguards regarding access to data by US authorities, in particular for law enforcement, criminal and national security purposes, limiting access to personal data to what is necessary and proportionate to protect national security.
In addition to the above, complaints will be investigated by the US intelligence community’s so-called “Civil Liberties Protection Officer”, who is responsible for ensuring compliance with fundamental and privacy rights by US intelligence agencies.
On the other hand, individuals have the possibility to appeal the decision of the Civil Liberties Civil Liberties Protection Officer to the newly created Data Protection Review Court (DPRC).
EU citizens will have remedies available to them in the event that their personal data is mishandled. These include free, independent dispute resolution mechanisms and an arbitration panel.
People can file a complaint with their national supervisory authority, thus ensuring that data subjects can contact an authority close to their home and in their own language. The complaints will be transmitted to the United States by the European Data Protection Bureau.
What companies can benefit from de Data Privacy Framework?
Companies that are certified (or re-certified annually) in the United States may benefit from this new framework, so organizations must publicly declare their commitment to comply with its principles, make their privacy policies available and fully apply them.
As part of their (re)certification application, organizations have to submit information to the DoC (Department of Commerce) on, among other things, the name of the relevant organization, a description of the purposes for which the organization will process personal data , the personal data that will be covered by the certification, as well as the verification method chosen, the relevant independent recourse mechanism and the statutory body that has jurisdiction to enforce compliance with the Principles.
All those organizations and companies will be reflected in a public List that will be accessible for verification by third parties.
To ensure legal certainty and to avoid “false claims”, first-time certifying organizations are not permitted to make public reference to their adherence to the Principles before the DoC has determined that the organization’s certification submission is complete and has added the organization to the DPF List.
In order to remain part of the DPF and receive personal data from the European Union, these organizations must re-certify their participation in the framework on an annual basis. When an organization leaves the DPF for any reason, it must remove all statements that imply that the organization continues to participate in the DPF.
What is the future of the DPF?
Given the background, the European Commission has opted for a system of reviews of the DFP.
In this way, the European Commission will carry out a review of the situation of the agreement within a year from the entry into force of the agreement, so it will be decided at that time, depending on the situation in which they find themselves. International transfers of personal data and, in any case, at least every four years, as established in article 45.3 GDPR.
At Letslaw we are specialists in personal data protection, and we can help you make your international transfers safely.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.