Are you a company that exchanges personal data between the EU and the US? If so, we have important news for you. On July 10, 2023, the European Commission adopted its approval decision regarding the EU-US Data Privacy Framework (DPF).
This decision means that the United States is once again recognized as a country that provides an adequate level of protection for its European Union (EU) counterpart. As a result, personal data can now flow freely from the EU to US-certified companies without the need for additional safeguards.
This has a significant impact on businesses and organizations engaged in data transfer between the EU and the US. It restores trust and certainty in transatlantic data transfers that were shaken after the Schrems II ruling.
The new framework addresses the concerns that led to the invalidation of the previous Privacy Shield framework. It proposes several key revisions, such as limiting access to data by US intelligence agencies to what is deemed "necessary and proportionate."
What does it mean for the use of Google Analytics, for example?
For the past three years, the use of Google Analytics and other tools that sent personal data to the US has been prohibited. This meant that users faced legal uncertainties and potential data privacy issues. This new decision has finally provided clarity on how personal data transfers can take place.
However, before data flows can resume, American service providers like Google must certify themselves under the EU-US DPF. This presents a possible solution, but we must wait for the service providers affected by this decision to complete their self-certification process. Once they have done so, website owners will likely be able to use these tools again.
A new dual-layer mechanism has been introduced to enhance accountability and protect the rights of EU individuals. Additionally, EU individuals whose data has been transferred to certified US companies will be able to access their data, request corrections, and utilize complaint channels.
The EU-US DPF will be subject to periodic checks to ensure that compliance and effectiveness are continuously maintained.
At this moment, no immediate action is required. We must wait for American companies to complete the certification process before data flows can begin. The European Commission's approval decision marks an important milestone in transatlantic data privacy.