The new EU-U.S. Data Protection Framework came into effect on 10th July. Two weeks after, we’ll take a look at how it works in practice and how you can use it.
The new EU-U.S. Data Protection Framework is a legal framework between the EU and the U.S. to make it easier for EU companies to transfer data to the U.S. (and the idea is to make it easier for EU companies to use U.S. vendors).
On 17 July, a website dedicated to the Data Privacy Framework (“DPF”) was launched. On the website, you can see active certified organizations. So this is the website you should use to find the list of certified organizations.
You should note that not all U.S. companies are on the list.
Only companies that were part of the Privacy Shield (which was invalidated by the Schrems II decision) can rely on the new framework and they are the ones that will appear on the list.
U.S. companies that weren’t part of the Privacy Shield can’t immediately get on the list. They will need to either start the certification process to get on the list (which will take some time) or continue using e.g the EU Standard Contractual Clauses (SCCs).
You should also know that companies in certain sectors (health care, financial services and non-profit institutions) are excluded from DPF and can’t seek certification.
Although the adequacy decision came into force on 10 July 2023, you can’t just automatically rely on it for all data transfers to your vendors in the U.S.
So what should you do? Here are a few helpful steps:
Check if the vendor is on the certified companies’ list.
To sum up - the new Framework is certainly helpful for EU companies sending data to the U.S. But it doesn't eliminate the need to vet your U.S. vendors and make sure there’s a valid transfer mechanism you can rely on.
By the way, you should consider if it's sensible to continue using the SCCs as a fallback option. The reason is that the U.S. vendor might cease to be certified or in case the Framework is struck down (as was the case with the Privacy Shield - NOYB has already announced that they will challenge it..).
P.S. If you want to transfer data to the U.S. from the UK or Switzerland - you can’t rely on the Data Privacy Framework just yet (the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF are still to be approved).
On 18 July, the European Data Protection Board adopted an information note on the adequacy decision. The Danish Data Protection Authority helpfully highlighted the key points here.