Companies that register under this framework will be considered safe recipients of personal data, ensuring an adequate level of protection by Article 45 of the GDPR (1). When transferring personal data to such companies, there will no longer be a need for Transfer Impact Assessments (TIAs), Local Law Assessments (LLAs), or complex contractual clauses. In other words, data transfers to these companies will take place under the same regime as transfers between companies within EU member states.
This marks the third attempt to regulate the transfer of personal data to the USA. The original legal framework, known as the Privacy Shield, was invalidated in 2020. The Court of Justice of the EU (CJEU) had two main concerns. Firstly, US government authorities and intelligence services had essentially unrestricted access to personal data, including data of EU citizens. This concern was closely tied to the second issue, as EU citizens could not access information about the processing of their personal data in the USA and had no means to enforce their rights.
The DPF addresses these shortcomings. The USA, through Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities,” issued by President Biden on October 7, 2022, establishes a specialized official for civil liberties and privacy protection (Civil Liberties and Privacy Officer – CLPO) within the Office of Intelligence and Research. The CLPO is responsible for ensuring the respect of fundamental rights regarding protecting personal data, including by state authorities and intelligence services. Decisions by the CLPO can then be reviewed by the new specialized court, the Data Protection Review Court. As a result, EU citizens will be able to assert their rights concerning their personal data in the USA.
While this is a significant step towards restoring legal certainty in the transfer of personal data between the EU and the USA, it is already certain that this decision, like previous adequacy decisions, will be subject to scrutiny and reevaluation by the CJEU.
The organization #noyb, led by Max Schrems, has already criticized the decision, arguing that the DPF does not meet the requirements of the GDPR. Therefore, it can be expected that the current decision on the adequacy of protection will be assessed by the CJEU soon.
Finally, it is crucial to highlight that the implementation of the DPF will bring modifications to your Privacy Policy. If your company engages in the transfer of data to a processor in the USA who is registered under the DPF, it is imperative to explicitly state in the information documentation that such transfers are grounded on a Commission adequacy decision and that the processor is duly registered under the DPF.
The list of companies registered under the DPF can be found from July 17, 2023, here: https://lnkd.in/eCUrwrvc
We are ready to assist you with the assessment and potential adjustments to your information documentation. Please do not hesitate to contact us.
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
