THE NEW DATA PRIVACY FRAMEWORK: PRIVACY SHIELD’S REPLACEMENT
The European Union (EU)-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US Data Privacy Framework (UK Extension to the EU-US DPF) and the Swiss-US Data Privacy Framework (Swiss-US DPF) were developed to facilitate transatlantic commerce by providing US organisations with reliable mechanisms for personal data transfers to the US from the EU and European Economic Area, the UK (and Gibraltar) and Switzerland consistent with EU, UK and Swiss data protection laws.
The DPF programme was developed in response to the invalidation of the Privacy Shield Framework by the Court of Justice of the European Union (CJEU) in 2020. The CJEU found that the Privacy Shield did not adequately protect EU citizens’ personal data from access by US intelligence services.
Why is this important?
US organisations need the DPF programme to comply with EU, UK and Swiss data protection laws, such as the EU General Data Protection Regulation (GDPR), one of the strictest data protection laws in the world. It requires businesses that process the personal data of EU citizens to comply with certain requirements, such as obtaining consent for data processing and providing individuals with access to their data, deleting data when it is no longer necessary, implementing appropriate technical and organisational measures to protect personal data, and transferring personal data only to countries outside the EU that have adequate safeguards in place.
Fines for violating the GDPR can be significant –
up to €20m or 4 percent of the organisation’s global annual revenue from the preceding financial year, whichever is greater. Understanding the options to avoid running afoul of these data protection laws is essential. The DPF provides US organisations with a mechanism to demonstrate compliance with the GDPR and other data protection laws.
Jan-Mar 2024 issue
International Centre for Dispute Resolution (ICDR)