Are you a company that exchanges personal data between the EU and the US? If so, we have important news for you. On July 10, 2023, the European Commission adopted its approval decision on the EU-US Data Privacy Framework (DPF).
This decision means that the United States is once again recognized as providing an adequate level of protection to its European Union (EU) counterpart. As a result, personal data can now flow freely from the EU to U.S.-certified companies without the need for additional safeguards.
This has a significant impact on companies and organizations engaged in data transfers between the EU and the US. It restores confidence and certainty in transatlantic data transfers that were shaken after the Schrems II ruling.
The new framework addresses the concerns that led to the invalidity of the previous Privacy Shield framework. It proposes several key revisions, including limiting access to data by U.S. intelligence agencies to what is considered "necessary and proportionate."
For the past three years, the use of Google Analytics and other tools that sent personal data to the U.S. was not allowed. This meant users faced legal uncertainties and potential data privacy issues. This new decision has finally clarified the ways in which personal data transfers can occur.
But before data flows can resume, U.S. service providers such as Google must self-certify with the EU-US DPF. Herein lies a possible solution, but we must wait for the service providers affected by this decision to complete their self-certification process. Once they have done so, website owners would likely be able to use these tools again.
A new double-layer mechanism has been introduced to improve accountability and protect the rights of EU individuals. It also allows EU individuals, whose data has been transferred to certified U.S. companies, to access their data, request corrections and access grievance channels.
The EU-US DPF will be subject to periodic audits to ensure continuous compliance and effectiveness.
No immediate action is needed at this time. We must wait for U.S. companies to complete the certification process before data flows can begin. The European Commission's approval decision marks an important milestone in transatlantic data privacy.
source: European Commission