What’s this all about?
The much-awaited EU-US Data Privacy Framework (“the DPF”) finally arrived earlier in the summer.
Following the European Court of Justice’s ruling over three years ago that the EU-US Privacy Shield data transfer system was invalid the EU and the US have been working to find a replacement system. The result is the DPF scheme, which is now up and running, the upshot being that personal data can be freely and safely transferred from the EU to the US (where a US entity has signed up to the scheme).
A podcast about the DPF can be found here https://www.complianceandethics.org/andre-bywater-on-the-eu-us-data-privacy-framework-podcast/.
In this SCCE podcast, André Bywater, partner at Cordery Compliance addresses the following questions concerning the DPF:
- What’s new with the DPF?
- Can personal data now simply be transferred from the EU to the US without doing anything else?
- Are there any potential failure points to be on the lookout for, i.e. what are the easy mistakes organizations could make that would leave them out of compliance?
- The UK is outside of the EU, so, how does this affect data transfers involving the UK?
- The big question is: will this stand? Max Schrems pressed the case which defeated the Privacy Shield regime (and the Safe Harbour scheme before that). Will he be doing the same thing again?
What does this mean for compliance teams in a nutshell?
Consideration needs to be given to:
- Determining whether personal data is transferred from the EU to the US; and,
- If so, whether that would best be done through the DPF, which would require a US entity to sign up to the scheme along with all the paperwork that comes with that.
If a US entity does sign up to the DPF then consideration would also need to be given as to what to do about any existing arrangements under which personal data is being transferred such as Standard Contractual Clauses (and their related Transfer Impact Assessments).
For more about the DPF see the Cordery DPF FAQs here: https://www.corderycompliance.com/eu-us-dpf-0723-5/, and also see the Cordery film here: https://www.corderycompliance.com/dpa-0823-03/.
For more information please contact André Bywater a commercial lawyer with Cordery in London where his focus is on compliance issues.
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 347 2365|