On Monday, the European Commission formally adopted the long-awaited adequacy decision on the EU-U.S. Data Privacy Framework (DPF). This decision concludes that the United States ensures an adequate level of protection, comparable to that of the European Union, meaning personal data can be freely transferred from the EU to U.S. companies participating in the DPF without putting in place additional data protection safeguards like Standard Contractual Clauses.
While this is welcome news to many, challenges to the adequacy decision are expected, and there is a real risk that the DPF may be invalidated like its predecessors the Safe Harbor and Privacy Shield. Thus, companies are left to decide whether they want to certify to the new DPF in light of the European Commission’s decision or continue to rely on existing transfer mechanisms like the Standard Contractual Clauses or Binding Corporate Rules.
There are advantages to certifying to the DPF, particularly for those companies receiving large volumes of EU personal data. The DPF simplifies GDPR compliance by creating a smoother contracting process and removing the need to conduct data transfer impact assessments or implement supplemental security measures. Additionally, organizations that have already certified to the Privacy Shield are expected to easily transition to the DPF, though exact details of the process are not yet final. However, for those organizations that have not certified to the Privacy Shield, the effort required to gather the necessary information and implement a compliance program can be daunting, and the uncertain fate of the DPF may make the initial effort needed to self-certify less appealing. Moreover, organizations transferring data to third countries not subject to adequacy decisions will still need to rely on Standard Contractual Clauses, and the DPF is not applicable in the UK, although an extension of the DPF to UK personal data is expected soon.
For questions about whether your organization should consider self-certification to the DPF, or for assistance with GDPR compliance generally, please contact Kelly Hollingsworth or any other member of the Cybersecurity and Privacy Practice Group at Warner Norcross + Judd.