Introduction
At a time when data privacy is paramount, the EU-US Data Privacy Framework (EU-US DPF) plays a critical role in governing transatlantic data transfers. However, many US companies have allowed their certifications under this framework to lapse, leading to potential non-compliance risks with substantial implications. As of today, that number of lapsed organisations stands at 3783
The EU-US Data Privacy Framework Explained
Adopted by the European Commission on July 10, the EU-US DPF allows for the transfer of personal data from EU entities to US entities that have obtained the EU-US DPF certification, subject to specific requirements. This development is significant, as certified entities no longer need to rely on additional safeguards such as the EU Standard Contractual Clauses (EU SCCs) for data transfer. The framework aligns with the General Data Protection Regulation (GDPR) and is based on seven fundamental principles: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement, and Liability.
Certification and Enforcement
For US organisations to participate in the EU-US DPF, a public declaration of compliance with these principles is mandatory. This involves making privacy policies publicly available and providing information on processing activities. However, there are costs associated with certification, ranging from $250 to $4,875 annually, plus additional legal and advisory fees. Once certified, the commitment becomes enforceable under US law, with non-compliance leading to penalties or removal from the DPF List.
Lapsed Certifications: A Rising Concern
A significant number of companies have let their Privacy Shield certifications lapse, primarily due to the uncertainty following the Schrems II ruling. This lapse poses a risk, as non-compliant transfers can result in severe penalties. If a company was not previously certified under the Privacy Shield, it needs to establish internal and external policies conforming to the DPF.
Compliance Obligations for UK, EU, and CH Data Controllers
Data controllers in the UK, EU, and Switzerland (CH) are mandated to check the certification status of their US data processors before allowing personal data transfers. This step is crucial to ensure that the data processors comply with the EU-US DPF, thus safeguarding the data being transferred against misuse or unauthorised access.
How US Companies Can Check Their Certification Status
US companies can verify their certification status through the participant search feature available at EU-US Data Privacy Framework Participant Search. This tool is essential for both US companies seeking to ensure their compliance and for EU, UK, and CH data controllers to verify the status of their US counterparts.
Conclusion
The EU-US Data Privacy Framework is vital for ensuring data privacy in transatlantic data transfers. US companies must be proactive in maintaining their certifications to avoid non-compliance risks. Similarly, data controllers in the UK, EU, and CH need to diligently verify the compliance status of their US data processors to safeguard against potential data privacy breaches and associated penalties. Formiti delivers a portfolio of global data privacy services to clients worldwide.