The Commission’s decision of 10 July, 2023, on the adequate level of protection of personal data under the EU-US Data Privacy Framework restores legal certainty for businesses that transfer personal data to US-based entities in the course of their activity.
In this decision, the European Commission decided that the US ensures an adequate level of protection for personal data transferred to entities in the US that are on the Data Privacy Framework List. The list of these entities is publicly available on the US Department of Commerce website. The Data Privacy Framework is based on a system of self-certification – this means that US entities themselves publicly confirm the implementation of the EU-US Data Privacy Framework Principles laid down in the annex to the Commission’s decision. The decision applies from 10 July, 2023.
If a particular US entity (data importer) is on this list, the EEA entity (data exporter) is not required to enter into standard contractual clauses or other additional agreements with the data importer in this regard.
If a specific entity is not on the List, the data exporter may base the transfer of data to the US on one of the grounds in Article 46 GDPR. In most cases, the parties will probably conclude standard contractual clauses. The transfer of data on this basis is already safer, as the safeguards put in place by the US government in the area of national security apply to all data transferred to US entities. Therefore, when assessing the effectiveness of the chosen transfer tool under Article 46 GDPR, data exporters should take into account the assessment made by the Commission in its decision of 10 July, 2023.
It should be noted that entities that self-certified under the Privacy Shield invalidated by the Schrems II judgment of the EU Court of Justice are placed on the Data Privacy Framework List conditionally. These entities have three months from the date on which the Commission decision takes effect (i.e. until 10 October this year) to update and adapt their privacy policies in accordance with the decision. Notwithstanding the need to comply with the decision, these entities should recertify in accordance with the deadlines set out in the Data Privacy Framework List.
Author: Dominika Nowak-Byrtek, Katarzyna Syska