No Match Found
On 10 July 2023, the European Commission adopted its adequacy decision regarding the EU-US Data Privacy Framework (DPF), essentially concluding that participating companies under the Framework offer an adequate level of protection compared to the EU. As a result, EU-based companies may transfer personal data to certified companies in the United States without needing to put any additional transfer mechanisms and safeguards in place.
In essence, the EU-US DPF states that, from its entry into force on 10 July 2023, data transfers from the EU to the US can safely be allowed and need not be subject to additional transfer mechanisms, so long as the receiving company participates in the Data Privacy Framework.
As we had already highlighted in our previous post on the EU-US DPF, it introduces several important safeguards and improvements to its predecessor, the EU-US Privacy Shield, which was invalidated in Schrems II, including:
Like its predecessor, the EU-US DPF is a self-certification programme under which participating US companies agree to comply with a detailed set of DPF privacy obligations and principles. This self-certification can be done with the US Department of Commerce’s website. A list of certified companies is published and made available on the website for EU data exporters to verify the status of their data importing counterpart.
Despite the adoption of the adequacy decision offering long-awaited relief and legal certainty for companies transferring their data to the US, it remains to be seen if and how it will hold up in court. Max Schrems, founder of NOYB – the European Center for Digital Rights has already communicated that they expect to bring a legal challenge to the Court of Justice of the European Union (CJEU). The US’s surveillance powers remain a main point of concern for critics.
The Federal Data Protection and Information Commissioner (FDPIC) issued a statement on 11 July to acknowledge the European Commission’s adequacy decision, and confirmed that it is in advanced discussions with the US over a parallel framework, the so-called Swiss-US Data Privacy Framework.
Should such a Swiss-US DPF be introduced, an adequacy decision by the Federal Council will first need to be issued before Swiss companies can rely on it. With the upcoming revision of the Swiss Federal Act on Data Protection (revFADP) on 1 September 2023, this is likely to take a few more months. Until then, the Swiss adequacy list (on which the US currently does not feature) remains unchanged.
We would be happy to further discuss or address any questions that you may have about the DPF or our data privacy services more broadly.
Partner Legal, PwC Switzerland
Tel: +41 58 792 18 56
Director | Head of FinTech, Blockchain and Digital Assets, PwC Switzerland
Tel: +41 58 792 92 24
Senior Manager, FS Regulations, PwC Switzerland
Tel: +41 58 792 29 93
Manager | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 44 00
Associate | Data Privacy | ICT | Implementationᐩ , PwC Switzerland
Tel: +41 58 792 44 00
Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 49 64