<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=134132097137679&amp;ev=PageView&amp;noscript=1">

EU-US Data Privacy Adequacy Decision Introduces New Framework for Free Flow of Personal Data Between Europe and USA

Yusra Kayani
Jul 21, 2023 8:00:00 AM

In this post, Pixalate, the global market-leading fraud protection, privacy, and compliance analytics platform for Connected TV (CTV) and Mobile Advertising, reviews an update concerning international data transfers of personal data that will now occur under the realm of the newly passed European Union - United States Data Privacy Adequacy decision.

About the author: Yusra is a data protection and privacy specialist with experience advising the global pharma and automotive industry on a range of privacy matters connected to in-house, B2B and B2C setups. She specializes in providing pragmatic legal advice and guidance under Europe's key legal and regulatory frameworks relating to Data Protection, Compliance and Corporate Governance. Before joining Pixalate, Yusra was working as a Data Privacy Counsel for a German pharmaceutical company Boehringer Ingelheim and prior to that, as a Privacy Specialist at Porsche Cars. 

Summary:

  • The EU-US Data Privacy Adequacy decision was adopted on July 10, 2023, enabling the free flow of personal data between the EU/EEA and the United States.
  • The new framework, the EU-US Data Privacy Framework (EU-US DPF), requires U.S. organisations that were certified under the former EU-US Privacy Shield Framework to update their privacy policies by October 10, 2023 and comply with the new DPF. Existing certification dates will remain in effect.
  • The International Trade Administration (ITA) is set to launch its Privacy Shield website on July 17, 2023. This will be used for self-certification submissions under the EU-US DPF, the UK extension of the EU-US DPF, and the Swiss EU-US DPF.
  • The UK extension of the DPF isn't finalised for data transfer yet, but self-certification is available. Swiss-US DPF compliance is also possible for companies previously part of the Swiss-US Privacy Shield, with updates to privacy policies due by October 17, 2023.
  • Despite the decision to simplify data flow, not-for-profit organisation NOYB, led by Maximillian Schrems, plans to challenge the decision legally, predicting that the new DPF could be under scrutiny by the European Court of Justice by early 2024.
  • The EU-US DPF is a positive outcome for the AdTech industry as it is once again opening the doors to cross border data transfers outside of the EU. However, companies must familiarise themselves with the new safeguarding obligations  the DPF introduces for enabling redress and data protection rights for EU residents.

 

Background:

After the Court of Justice of the European Union (CJEU) issued the Schrems II judgement, adequacy decisions in favour of the USA permitting free flow of restricted data transfers did not occur for over two years. Whilst attempts were made to resurface the previously invalidated framework, they fell through due to inadequacies already underlined in Schrems II.

This pause not only impacted the way restricted data transfers of personal data took place between the EU and U.S. but also required additional transfer mechanisms (such as the Standard Contractual Clauses) to be put in place before a company made any transfers to receiving companies outside of the EU/EEA region. Data controllers (or Data Exporters) were also required to conduct laborious and time consuming processes, such as conducting Transfer Impact Assessments (TIA) that often provided uncertain results. Companies would have to put in place additional safeguarding measures to make restricted transfers safe and protected throughout the transfers journey.

This is because Chapter V of the EU and UK General Data Protection Regulation (GDPR) places restrictions on transfers of personal data outside of the UK and EU/EEA regions. These restrictions are based on the philosophy of ensuring that benefits of high data protection standards continue to apply to EU and UK residents even if their personal data is transferred outside of these regions.

In other words, the GDPR only permits restricted data transfers if the data receiver is either covered under the scope of adequacy regulations or by putting in place ‘appropriate safeguards’ prior to continuing with such a transfer. Undoubtedly, some exemptions are allowed, but these are fairly exhaustive and limited in scope, making them inapplicable in most commercial industry areas that focus heavily on personal data processing.

New Framework: The EU-US Data Privacy Framework

After various reviews and considerations of the law, on July 10, 2023, the EU Commission adopted its adequacy decision for safe and trusted international data transfers between the EU and U.S.

This decision concludes and further creates a revived pathway for U.S.-based organisations to rely on the new legal framework established under the EU-US Data Privacy Framework (EU-US DPF) for conducting restricted transfers of personal data. As per the EU Commission, the DPF sets an equivalent standard to that established under the EU GDPR when conducting international transfers of personal data.

Some key operational elements that U.S.-based organisations must consider now call attention to as follows:

  • Organisations that are self-certified already under the old EU-US Privacy Shield Framework (EU-US Privacy Shield) will now have to comply with the new EU-US DPF. These organisations should also start updating company privacy policies as the deadline to do so is by October 10, 2023, to reflect the new DPF adoption.
  • Organisations already self-certified prior to the new adequacy decision do not need to make new initial self-certification submissions to join but can immediately start relying and complying with the EU-US DPF when conducting restricted data transfers.
  • Any updates and renaming within privacy policies under the new EU-US DPF does not by default change the organisation’s original renewal date; this means that existing expiry dates are still applicable and organisations will need to apply for recertification prior to their date of expiry.
  • Organisations that were part of the old Privacy Shield but currently do not wish to join the new EU-US DPF must follow the International Trade Administration’s (ITA) withdrawal process referred to under Supplemental Principle on Self-Certification.

Additionally, from July 17, 2023, ITA will also launch its Privacy Shield website to allow submissions for self-certification of organisations and join the EU-US DPF. The website will also cover submissions for the UK Extension of the EU-US DPF (when applicable) and the Swiss EU-US DPF.

The website will also enable organisations to make their annual renewal submissions for each framework and will further include a variety of guidance materials and supportive measures.

Restricted Transfers from the United Kingdom & Switzerland

One key point to highlight is regarding the UK Extension of the DPF. Whilst organisations can also start self-certifying with the UK Extension for compliance purposes, they will be unable to rely on the UK-US data bridge for conducting any restricted transfer as it yet remains to be finalised and can only be relied upon for such data transfers when the data bridge is concluded and comes into effect.

However, organisations that previously participated under the Swiss-US Privacy Shield can start complying with the new Swiss-US DPF and update their privacy policies before October 17, 2023, in line with the EU-US DPF set up.

Impact on AdTech

The DPF mechanism will generally be welcomed by the advertisement technology sector; backed by the White House as an economic relationship worth $7.1 trillion, the new adequacy decision also ends a deadlock that found U.S.-based technology companies restricted from processing personal data of EU-based customers. As large social media companies like Meta continue to rely on hefty revenues resulting from ads delivered within Europe, it is becoming evident that Europe will continue luring in U.S.-based tech giants, with more companies anticipated to rely on the DPF and gain access to European consumer data.

The DPF translates into more flexibility when accessing customer data without undergoing time consuming and expensive processes to put in safeguards prior to transferring personal data. U.S.-based Tech companies working with local sub-processors can also rely on the DPF to share and view customer data with each other for purposes such as optimisation and web analytics.

However, U.S.-based companies wishing to import data from the EU must take note of the strict obligations that kick in under the new framework; the DPF offers several avenues to EU residents for redress if any mishandling of their personal data occurs, including the availability of free and independent dispute resolution mechanisms. It also provides EU residents the ability to access their personal data and request for corrections and even deletion of data if they suspect that their personal data is being handled unlawfully by such data importing companies.

Though we anticipate a phase in which the U.S. Department of Commerce will scrutinise these heightened safeguards and their compliance in practice, a bigger challenge for the ad industry may be forthcoming via the strict regulations that have come into effect recently under the Digital Markets Act.

Ad tech platforms will also have to carefully review their partners’ privacy policies by the deadlines (mid-October 2023).

Anticipated Legal Challenges

While some may welcome this decision that enables a friction-free flow of personal data across the Atlantic, not-for-profit organisation NOYB is gearing up to bring another legal challenge against the newly-issued adequacy decision.

The Chairman and Founder of NOYB, Maximillian Schrems, has already issued an open letter to the EU Commissioner demanding an apology for referring to not-for-profit campaigners backed legal challenges brought to the CJEU as “business models.” As per NOYB’s assessment, there are little to no changes in the new adequacy decision and expect the new DPF to be back under the European Court of Justice’s scrutiny by the beginning of 2024.

List of Top Apps Impacted

Pixalate has compiled a list of the top 20 most popular apps based on programmatic ad traffic in the EU that currently have international data transfer clauses in their privacy policies. Access the full list of apps here:

Download the List

Search Blog

Follow Pixalate

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.