The EU-U.S. Data Privacy Framework introduces robust and binding safeguards to address concerns raised by the European Court of Justice. These measures include limiting access to EU data by U.S. intelligence services to what is necessary and proportionate and establishing a Data Protection Review Court (DPRC) accessible to EU individuals. Compared to the previous Privacy Shield mechanism, the new framework brings significant improvements, such as the power for the DPRC to order the deletion of data collected in violation of safeguards.
What does it mean in practice?
With the passing of the EU-US Privacy Framework, companies can now commit to a detailed set of privacy obligations to ensure protection when transferring EU personal data to the US.
In practice the framework includes reminiscent protections as under the European standard of GDPR such as:
- the requirement to delete personal data when it is no longer necessary for its original purpose
- ensuring continuity of protection when sharing data with third parties
The requirement for EU individuals to have access to various redress avenues in case their data is mishandled by U.S. companies, including independent dispute resolution mechanisms and an arbitration panel, providing recourse for affected individuals.
What should companies who previously relied on the EU-US Privacy Shield know?
Since the invalidation of the EU-US Privacy Shield, companies have relied on alternate data transfer safeguards and standards such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs). These companies can continue using the SCCs or BCRs for now and consider transitioning to the EU-US Data Privacy Framework in the future for added benefits. The news is also positive for companies who previously relied on the Transatlantic Invalidation Agreement (TIA) and are currently transferring data, as the risk of transfer issues has significantly decreased.
Regardless of your chosen data transfer method however, companies should remember to update your Privacy Policy accordingly. This ensures that your data processing practices align with the latest compliance requirements.
If you are considering transitioning to this new adequacy decision to ensure full compliance or need assistance with updating your Privacy Policy, our team is ready to assist you – let’s discuss it here!
