The EU-U.S. Data Privacy Framework (DPF) has recently become highly relevant for data transfers to the USA. It came into force on July 10, 2023, and provides a guarantee for third-country transfers in the form of an adequacy decision. The DPF enables legally compliant data transfers to those US companies that have expressly certified themselves for this purpose.
It is the third agreement between the EU and the USA on data transfer, after the European Court of Justice declared its predecessors Safe Harbor (Schrems I ruling, 2015) and Privacy Shield (Schrems II ruling, 2020) invalid. Max Schrems, an Austrian data protection activist, had initiated the lawsuits due to the inadequate level of US data protection.
The DPF now includes further guarantees for data protection and a strengthening of the rights of affected EU citizens. In particular, a two-tier redress system has been set up to simplify complaints by affected EU citizens and enable them to challenge decisions made. The activities of the intelligence services will be monitored more closely, and access to data will be limited to what is necessary and proportionate to protect US national security. Certified companies must comply with regulations such as purpose limitation, information obligations, and the fulfillment of data subjects' rights and are subject to regular inspections.
It remains to be seen how long the DPF will remain in force. The security laws of the USA have not changed due to the new adequacy decision, and Max Schrems, therefore, already has the subsequent lawsuit in the drawer. In addition, European data protection authorities have already voiced initial criticism of the adequacy of the measures.
However, the DPF currently provides a valid guarantee for transferring personal data to the USA, thus significantly improving the conditions for data transfer. All major hyperscalers are among the participating companies.