Technology and Intellectual Property / July 2023

EU-US Data Privacy Framework

What is the EU-US Data Privacy Framework?
After complex negotiations, on July 10, 2023, the EU Commission approved the new transfer mechanism between the EU and the US: the EU-US Data Privacy Framework (“DPF”). The DPF was adopted to facilitate the transfer of personal data subject to the GDPR to US companies that are certified under the DPF. The DPF was created in response to the invalidation of the Privacy Shield by the Court of Justice of the European Union on July 16, 2020.Is the US an adequate country after this decision?
No, the US is still not an adequate country. However, US-based companies certified with the US Department of Commerce (“DOC”) as part of the Data Privacy Framework List (the “List”) will be able to receive personal data subject to the GDPR without the need for additional measures.If my US entity is registered with the DPF, do I need to perform a transfer impact assessment (TIA) for my transfers to the US?
Entities that are registered in the List do not have to conduct additional assessments or implement additional safeguards. However, other companies located in the US which are not part of the List (e.g., potentially, some of your sub-processors) will still have to conduct transfer impact assessments and the obligation to implement additional safeguards when transferring personal data subject to the GDPR remains.How do I register my US entity with the DOC?
The DOC will process applications for certification and monitor whether participating companies continue to meet the certification requirements. Compliance by companies that are a part of the List with their DPF obligations will be enforced by the US Federal Trade Commission (“FTC”), the U.S. Department of Transportation (the “DOT”), and potentially other authorities that may added in the future. US companies can certify with the DPF by committing to comply with the DPF’s principles, which include a list of privacy obligations, such as data minimization, purpose limitation, data security or limiting data sharing with third parties. In addition, US companies certified to the DPF will have to offer data subjects different redress options in case their data is wrongly handled. The US DOC published on July 17th, 2023 the DPF’s website, which includes a mechanism to register and self-certify to the  DPF, to the UK Extension (discussed below) and to the Swiss-U.S. DPF.

If my company is Privacy Shield certified, what is my status under the DPF?
Privacy Shield certified companies will not need to submit a separate certification request to be DPF. Instead, companies with active Privacy Shield certifications have been transferred and are already on the List, and are required to comply with the DPF principles. Privacy Shield-certified companies must update their privacy policies to align with the DPF by October 10, 2023. If a company that was previously certified with the Privacy Shield chooses not to participate in the DPF, it must actively withdraw from the DPF.

What is the status of transfers of personal data from the UK and Switzerland to the US under the DPF?

UK: Starting July 17, 2023, companies in the US that wish to self-certify with the UK Extension to the EU-U.S. DPF can already apply for such extension. The UK Extension is subject to additional regulations that will be enacted to address transfers of information from the UK (and Gibraltar) under the UK Extension (aka the “UK Data Bridge”). Companies may not begin transferring information to the United States under the UK Extension until the UK Data Bridge is enacted, which is estimated to happen this year. Organizations that wish to participate in the UK Extension must also be certified under the EU-U.S. DPF.

Switzerland: The Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) entered into effect on July 17, 2023.  Companies that are Swiss-U.S. Privacy Shield-certified must comply with the Swiss-U.S. DPF principles, including by updating their privacy policies by October 17, 2023. Companies with a Swiss-US Privacy Shield certification have been automatically entered into the Swiss-US DPF. As with the DPF, if a company previously certified with the Swiss-US Privacy Shield chooses not to participate in the Swiss-U.S. DPF, it must actively withdraw from the framework.

What is the status of transfers of personal data from Israel to the US under the DPF?
The transfer of personal data outside of Israel is regulated by the Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 2001. These regulations allow the transfer of personal data to a country that is considered adequate under the GDPR if such country extends the same conditions to personal data transferred from Israel, which must be, at a minimum, the protections that are in place in Israel. As discussed, the DPF does not make the US an adequate country for data transfers under GDPR. Therefore, it is still uncertain whether data transfers from Israel can rely on the alternatives presented by the DPF, as the protections offered may not extend to personal data exported from Israel. In other words, the adoption of the DPF does not seem to affect the ability to transfer personal data from Israel to the US and companies that wish to transfer personal data from Israel to the US will need to continue relying on one of the other alternatives provided under the Israeli transfer regulations.