The processing of personal data has been a very delicate topic in recent years and the relationship between the European Union and the United States regarding this issue has always been stormy, in particular since the introduction of the well-known GDPR in 2016.
In the last month, there has been a lot of talk about the EU-US Data Privacy Framework and a lot of confusion has arisen about it. This new political agreement regulates the transfer of data from the European Union to the USA and must absolutely be known to operate correctly online.
What is the EU– US Data Privacy Framework?
Often abbreviated with the acronym DPF, the Data Privacy Network is an agreement involving both the European Union, represented by the President of the EU Commission, Ursula Von Der Leyen, and the United States, represented by the current President, Joe Biden.
This agreement allows the transfer of data by European companies, provided they meet a series of requirements, including:
- Inform data subjects about the data processing, usually through the inclusion of a clause in the privacy policy.
- Be available to resolve any conflicts that may arise.
- Ensure the specific use and integrity of information both by the company and by third parties.
The DPF programme provides details about all the practices to be followed to meet its requirements, but in general these address the transparency of data processing and their traceability.
Generally speaking, the introduction of the DPF represents a fundamental aspect for most companies operating online, which will have to pay greater attention to their policies. Previous measures, such as the Privacy Shield, are in fact obsolete.
What is the Privacy Shield and Why is it Obsolete?
Similar to the current DPF, the Privacy Shield was a privacy agreement between the European Union and the United States, introduced in 2016 and declared invalid in 2020 by the EU Court of Justice.
Also in this case, the process behind the agreement had been severely hampered by the EU’s focus on user data (especially after the GDPR crackdown) and the US-style freedom of use, including intelligence agencies operating on American soil.
Therefore, companies that want (or must) transfer their data to a US company will have to check that this has changed its policy to respond to the DPF.
At the same time, US companies will have to take action to avoid the risk of being blocked or sanctioned by the new legislation.
Public opinion is following this change very carefully, given the constantly growing concern about the processing of personal data in recent years.
What Needs to be Done to Comply?
All those who operate online with their own portal or business must therefore ensure that they are fully compliant with the new DPF. An important job for Data Protection Officers, who will have to control all data movements towards the USA.
At the same time, however, it is good to rely on the Standard Contractual Clauses: if the DPF follows the same path as its predecessor, then it can be ruled out that it will be invalidated or retracted later.
If the topic of data localization and its protection during transmission interests you, we invite you to contact Artera.
Active for years as a premium ISP dedicated to the B2B sector, we can help you and accompany those activities that need specific advice in terms of privacy and want to be sure that they are in compliance. Contact Artera today and protect your business!