The New EU-US Data Privacy Framework: What You Need to Know

On Monday, July 10, 2023, the European Commission made an important decision regarding the EU-US Data Privacy Framework. The decision states that the United States guarantees a level of protection for personal data that is equivalent to the standards of the European Union. This means that personal data can now be transferred securely from the EU to US companies participating in the Framework without the need for additional data protection measures. This decision ensures that personal data will be adequately protected during these transfers.

Background

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield arrangement that had been in place since 2016. This means that businesses that operate in the EU and the US now need to find an alternative to comply with EU data protection laws when transferring personal data to the US. In response to this, the European Commission and the US Department of Commerce have developed a new framework called the EU-US Data Privacy Framework, which was launched on August 10, 2021.

In this blog post, we will go over the important dates and changes that have come with this new data privacy framework (DPF), as well as discuss why Sharetru is a great option to help businesses comply with these changes.

You might have read in one of our previous posts about the Trans-Atlantic Data Privacy Framework. The EU-US DPF is based on the Trans-Atlantic Data Privacy Framework ('TADPF').

Important Dates to Know

The historical and future timeline for implementing the new DPF involves several critical milestones worth mentioning

• July 16, 2020: The CJEU invalidated the EU-US Privacy Shield, which had been in place since 2016.
• August 10, 2021: The EU-US Data Privacy Framework was launched as a replacement for the Privacy Shield.
• July 10, 2023: European Unions adequacy decision for the Data Privacy Framework entered into effect
• July 14, 2023: Privacy Shield website (www.privacyshield.gov) will be taken offline at 9:00 PM EST
• July 17, 2023: Eligible organizations that wish to self-certify for the EU-US DPF can do so, but they can't rely on the UK Extension before the UK's anticipated adequacy regulations take effect (organizations that wish to participate in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF)
• July 17, 2023: In addition to the EU-U.S. DPF, the Swiss-U.S. DPF Principles will also go into effect on this date. Organizations that self-certified for the Swiss-U.S. Privacy Shield must comply with the Swiss-U.S. DPF
• October 10, 2023: Company Privacy Policies related to the EU-US DPF must be updated by this date to comply
• October 17, 2023: Company Privacy Policies related to the Swiss-US DPF must be updated by this date to comply

Comparing the Privacy Shield and the New Data Privacy Framework

One of the main differences between the Privacy Shield and the new Data Privacy Framework is the emphasis on transparency. The new framework requires participating companies to publicly disclose their privacy policies and the third-party service providers they use. Additionally, companies must include an arbitration process in their privacy policies to resolve disputes between EU individuals and US companies. Overall, the Data Privacy Framework provides greater protections and transparency for EU individuals when their personal data is transferred to the US.

1. Scope of Application: While both the Privacy Shield and the new framework facilitate data transfers between the EU and the US, the latter has expanded its scope to include more data categories, such as artificial intelligence-generated data, a growing component of the digital economy.
   
   
2. Data Protection Standards: The new framework emphasizes a higher standard of data protection, reflecting the principles of the EU's General Data Protection Regulation (GDPR). These include principles such as purpose limitation, data minimization, and stricter necessity and proportionality tests for the use of data.
   
   
3. Data Subject Rights: The new framework provides more robust rights to data subjects, including enhanced transparency about data usage, right to rectification, right to erasure (the so-called 'right to be forgotten'), and a more accessible mechanism to lodge complaints.
   
   
4. Enforcement Mechanism: While the Privacy Shield relied on self-certification by companies and the oversight of the US Department of Commerce, the new framework strengthens enforcement by implementing stricter monitoring and more severe penalties for non-compliance.
   
   
5. Redress Mechanisms: One significant criticism of the Privacy Shield was the inadequacy of redress mechanisms for EU citizens. In response, the new framework establishes a more robust and accessible dispute resolution process. It includes an independent ombudsperson mechanism to address complaints related to access to data by US intelligence agencies.

Conclusion

The new EU-US Data Privacy Framework represents a substantial evolution in international data privacy standards, influenced by the EU's commitment to robust data protection and the increasing complexity of the digital economy. As the November 2023 compliance deadline approaches, it's critical for companies that operate across EU and US jurisdictions to understand these changes and their implications. The framework not only increases the protection for data subjects but also enhances trust in digital commerce, making it a win-win for businesses and consumers alike.

It is essential that businesses find a way to comply with the new requirements to avoid potential legal and reputational risks. Sharetru is a great option for businesses looking to comply with these requirements, thanks to its secure file sharing, user management, compliance tracking, and customizable branding features.

Why Sharetru is a Great Option to Help Businesses Comply with the Data Privacy Framework

Sharetru is a file-sharing and file-transfer platform that was developed specifically to help businesses comply with data privacy laws, including the new EU-US Data Privacy Framework. Here are some of the features that make Sharetru a great option:

Encryption and Retention

Sharetru uses advanced encryption methods to keep files secure during transfer and storage. This ensures that personal data is protected and not vulnerable to unauthorized access or hacks.

User Management

Sharetru allows businesses to manage user access and permission levels, ensuring that only authorized individuals have access to sensitive data. This helps businesses comply with the requirement in the new Data Privacy Framework that participating companies must have robust safeguards in place to protect personal data.

Compliance Tracking

Sharetru tracks every action taken on a file and maintains an audit trail of those actions. This allows businesses to demonstrate compliance with data protection laws like the new Data Privacy Framework.

Customizable Branding

Sharetru allows businesses to customize the look and feel of their platform, including the login page and email notifications. This helps businesses maintain brand consistency while still complying with data protection laws.