Some help with legal information about GDPR and other privacy laws

Privacy laws

Revised EU US Data Privacy Framework

Revised EU – US Data Privacy Framework

On 10 July 2023, the European Commission adopted its decision on the EU – US Data Privacy Framework, which entered into force with immediate effect.

The decision concluded that the United States ensures a sufficient level of protection for personal data transferred from the EU to US companies under the new framework. Personal data can now flow safely from the EU to US companies participating in the Framework.

What Is the EU – US Framework?

The EU – US Framework is a mechanism to enable compliance with EU data privacy requirements when transferring personal data from the EU to US companies. The Data Privacy Framework replaces the EU – US Privacy Shield that was invalidated by the Schrems II judgment of 2020, thus ending a three-year period of uncertainty for the data transfer.

Both the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (UK GDPR) impose restrictions on the transfer of personal data to third countries that have not been validated for an adequate level of protection for personal data.

The new Data Privacy Framework (DPF) will allow the smooth transatlantic flow of personal data without the need for additional contractual agreements by ensuring that US companies will provide an adequate level of data protection adequate to that of the EU.

The new framework introduces significant improvements compared to the previous mechanism. The new framework sets the obligations for US companies, participating in the data transfer, that US companies will have to subscribe to. US companies will have to commit to complying with privacy obligations, like the requirement to delete personal data when it is no longer needed for the purpose for which it was collected, and to ensure personal data protection when it is shared with third parties. The DPF foresees limiting access to the data of EU citizens by US intelligence services to what is strictly necessary and proportionate.

The new framework also establishes a Data Protection Review Court (DPRC), which could be accessed by EU individuals. If the DPRC finds that data collected violates the GDPR or the UK Data Protection Act 2018, it will have the possibility to order the deletion of the data. EU individuals will have access to an independent and impartial redress mechanism regarding the collection and processing of their data by US intelligence agencies.

CookieScript Consent Management Platform is easy to use and complies with both the EU and the US privacy regulations.

The Timeline for the Adoption of the EU – US Framework

July 10, 2023. The EU – US Data Privacy Framework comes into effect. US companies registered with Privacy Shield certification can rely on the DPF immediately.

July 17, 2023. US companies can start self-certification with DPF compliance.

October 10, 2023. Deadline for US companies with active Privacy Shield to comply with the EU – US DPF requirements.

October 17, 2023. Deadline for US companies with active Privacy Shield to comply with the requirements of Swiss – US DPF.

The Previous Data Transfer Frameworks

The current DPF is the third attempt to regulate transatlantic data flow.

The EU – US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data. In 2020, it was invalidated by the CJEU due to concerns over the lack of adequate safeguards for the personal data of EU individuals and surveillance by US government agencies. So, it was three years of uncertainty for the transatlantic data transfer.

Safe Harbor Framework was another agreement, the legal predecessor to the Privacy Shield till 2015 when the CJEU invalidated the Framework for its failure to provide adequate protection for the personal data of EU individuals.

Future of the EU – US Data Privacy Framework

The current DPF will be reviewed periodically by the European Commission, together with representatives of European data protection authorities and competent US authorities.

The first review will take place within a year of the entry into force of the adequacy decision to verify that all protection mechanisms have been fully implemented in the US legal framework and are functioning effectively in practice.

UK Extension to the EU – US Data Privacy Framework

On June 8, 2023, the UK and the US decided to establish a legal framework to facilitate the transfer of personal data from the UK to the US. The proposed agreement will function as a UK extension of the EU – US DPF.

US companies, participating in the Data Privacy Framework, can self-certify for the UK extension of the DPF. However, the self-certification could start after the UK adequacy decision is finalized.

Swiss – US Data Privacy Framework

The Swiss – US Data Privacy Framework (Swiss – US DPF) entered into effect on July 17, 2023. Companies that are certified under the Swiss – US Privacy Shield Framework can opt to comply with the new requirements of Swiss – US DPF.

As in the case of the UK, the self-certification could start only after the Swiss Federal Administration approves it, and its adequacy decision is finalized.

Key Features of the EU – US Data Privacy Framework

Adequacy decision

The European Commission adopted an adequacy decision that establishes that the US provides personal data protection adequate to meet the GDPR criteria. This means that no additional safeguards are required for the transatlantic data transfer.

Data Protection Review Court

The Data Protection Review Court (DPRC) is an independent review body established by the DPF to investigate concerns about US government agencies’ access to the personal data of EU individuals. EU individuals will have access to an independent and impartial redress mechanism regarding the collection and processing of their data by US intelligence agencies. The DPRC will have the possibility to order the deletion of the data, and the authority to impose corrective measures if needed.

Limiting access by US intelligence

The Data Privacy Framework limits access by US intelligence and other government institutions to what is necessary and proportionate to national security and establishes an independent redressal mechanism for any alleged violation of the data rights of EU residents.

Privacy Principles

The EU – US Data Privacy Framework has the following core privacy principles:

  • Purpose limitation.
  • Additional safeguards for processing special categories of data.
  • Data accuracy, minimization, and security.
  • Deletion of data. When personal data is “no longer necessary for the purpose for which it was collected”, it must be deleted.
  • Transparency.
  • Individual rights.
  • Restrictions on data transfers to third parties or outside the US.
  • Accountability.

Enforcement of the EU – US Data Privacy Framework

The Department of Commerce (DoC) is responsible for the DPF certifications and compliance. The Federal Trade Commission (FTC) and the Department of Transportation (DoT) have the investigatory and enforcement powers to ensure compliance with the EU – US DPF.

The FTC can enforce compliance through administrative or federal court orders. The FTC can impose financial penalties, as well as other remedies, like compensation for individuals for any consequences caused by non-compliance with the DPF.

Companies that would repeatedly violate the DPF principles, will be removed from the framework and will have to delete all personal data collected under the EU – US DPF.

Frequently Asked Questions

What is the EU – US Framework?

The EU – US Framework is a mechanism to enable compliance with EU data privacy requirements when transferring personal data from the EU to the US companies, which entered into force on 10 July 2023. It replaces the EU – US Privacy Shield that was invalidated by the Schrems II judgment of 2020. Use CookieScript CMP to comply with the EU – US Framework.

How does the EU – US Data Privacy Framework differ from the invalidated EU – US Privacy Shield?

The EU – US Data Privacy Framework sets the obligations for US companies like the requirement to delete personal data when it is no longer needed, and to ensure personal data protection when it is shared with third parties. The DPF foresees limiting access to the data of EU citizens by US intelligence services and establishes a Data Protection Review Court (DPRC), which could be accessed by EU individuals.

Is the EU – US Data Privacy Framework already active?

On 10 July 2023, the European Commission adopted its decision on the revised EU – US Data Privacy Framework, which entered into force the same day. October 10, 2023, is the deadline for US companies with active Privacy Shield to comply with the EU – US DPF requirements, while October 17, 2023, is the deadline for US companies with active Privacy Shield to comply with the requirements of Swiss – US DPF. Use CookieScript CMP to comply with both the EU – US Framework and the Swiss – US DPF.

Does the EU US Privacy Shield still exist?

No, the Court of Justice of the EU invalidated the EU US Safe Harbor Framework in 2015 and its successor, the EU US Privacy Shield, in 2020. On 10 July 2023, the European Commission adopted its decision on the revised EU – US Data Privacy Framework, which entered into force the same day. CookieScript Consent Management Platform can help you to comply with the EU – US Framework.

Does the EU – US Data Privacy Framework apply to UK residents?

On June 8, 2023, the UK and the US decided to establish a legal framework to facilitate the transfer of personal data from the UK to the US. The proposed agreement will function as a UK extension of the EU – US Data Privacy Framework. US companies, participating in the Data Privacy Framework, can self-certify for the UK extension of the DPF. However, the self-certification could start after the UK adequacy decision is finalized. CookieScript Consent Management Platform can help you to comply with the UK extension of the EU – US DPF.

Does the EU – US Data Privacy Framework apply to Swiss residents?

The Swiss – US Data Privacy Framework (Swiss – US DPF) entered into effect on July 17, 2023. Companies that are certified under the Swiss – US Privacy Shield Framework can opt to comply with the new requirements of Swiss – US DPF. US companies, participating in the Data Privacy Framework, can self-certify for the Swiss – US DPF. The self-certification could start only after the Swiss Federal Administration approves it, and its adequacy decision is finalized. CookieScript Consent Management Platform can help you to comply with the Swiss – US DPF.

Who is responsible for the enforcement of the EU – US Data Privacy Framework?

The Department of Commerce (DoC) is responsible for the DPF certifications and compliance. The Federal Trade Commission (FTC) and the Department of Transportation (DoT) have the investigatory and enforcement powers to ensure compliance with the EU – US DPF. The FTC can enforce compliance through administrative or federal court orders. The FTC can impose financial and other penalties. CookieScript Consent Management Platform can help you comply with the EU – US Framework.

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.