The New Privacy Shield: Data Transfer To The US

In the past, there were some legal issues following the Safe Harbor decision and the failed EU-US Privacy Shield. Website operators and entrepreneurs who used U.S. tools and services were illegally transferring data to the U.S., which could result in fines and warning letters.

Now, however, there is a positive turn of events: The European Commission and U.S. President Joe Biden have agreed on a new transatlantic data protection framework, the EU-US Data Privacy Framework, which came into force on July 10, 2023. Thanks to this new framework, the use of tracking, analytics and marketing tools from the U.S. is allowed again, but only under certain conditions.

In this text, we will highlight the latest developments in this area and show you, as a website operator, what steps you now need to take to use US tools in a legally secure way.

The European Union (EU) has strict guidelines for handling the personal data of its citizens. The main purpose of these rules is to protect privacy, which entrepreneurs must strictly comply with. So if a business owner sends data from users located in the EU to countries outside the EU, it must ensure that a level of data protection similar to that in the EU exists there.

If this is the case, the data transfer to a secure third country can be handled like the one within the EU. The decision as to whether a country is a safe third country is made by the European Commission by means of an adequacy decision. If this is accepted, personal data may flow from the European Economic Area to this third country without any further conditions or approvals being required.

However, in the case of data exchange between the EU and the U.S., there have been doubts about the quality of data protection provided by the U.S. government and its intelligence agencies. For this reason, the European Court of Justice declared the already existing adequacy decisions 2015 and 2020 invalid. He ruled that the data of EU citizens was not sufficiently protected from U.S. surveillance activities.

As a result, the use of services that send personal data of EU citizens to servers in the U.S. when using websites became illegal. Data exchange was thus only possible with extensive additional safeguards, and even then it was legally ambiguous. Legal data exchange with the USA was practically no longer possible.

Under the current adequacy decision, the U.S. is recognized as providing a level of protection for personal data equivalent to that of the EU when such data is transferred from companies in the EU to companies in the United States. However, this only applies to those companies that participate in the EU-US data protection framework.

How and when will U.S. companies participate in the new privacy framework?

To be recognized as a secure entity to receive data and comply with the rules of the EU-US data protection framework, a US company must go through a process of self-certification by the US Department of Commerce (DoC). In this procedure, the company must submit various documents. Upon successful submission of these documents, the company will be added to the Data Privacy Framework (DPF) list and will thus be considered self-certified according to the requirements of the new data protection framework.

Although this process may seem complicated at first glance, it is actually said to be quite straightforward. Especially for companies that have already participated in the first Privacy Shield, the transition from the Privacy Shield conditions to the DPF should be relatively easy. These companies should adapt their privacy notices to the newly introduced requirements of the DPF, and do so within three months.

Once a U.S. organization has received certification, it must renew that certification annually. In response, the U.S. Department of Commerce has stated that the procedure for self-certification and annual renewal of certification will remain basically the same so as not to create additional barriers.

European data transmitters wishing to send personal data from the EU to the U.S. pursuant to the DPA’s adequacy decision must ensure in advance on the DPA’s website that the U.S. data recipient has a DPA certification and that this certification covers the specific data transfer.

In the style of the former “Privacy Shield”, a database is to be set up listing US companies that have obtained certification.

This dataset can be found on the Data Privacy Framework Program website under the “Data Privacy Framework List” section.

Website: https://www.dataprivacyframework.gov/s/

DPF list: https://www.dataprivacyframework.gov/s/participant-search

In this database, website operators will be able to search for specific companies in the future and verify that valid self-certification is in place.

Currently, the use of all U.S. services certified under the DPF is legally protected. U.S. firms must complete a self-certification process in order to rely on the adequacy decision. For companies with many EU users or customers, such as Meta, Google, Microsoft, AWS, you can assume that they have the certification in place.

Important Notice:
The implementation of the DPF does not mean that consent via a cookie consent tool is no longer required for US-based tools.

For almost all tracking tools (e.g. Google Analytics, Meta Pixel, Hotjar, etc.) you need consent. It is irrelevant whether the tool originates from the USA or not. The user should be able to decide whether they want to allow tools like Google Analytics to collect data about them. Data transfer to the U.S. is a separate issue.

Here you need adequate safeguards to be able to transfer the data to a third country – which are now in place with the new DPF.

Obtaining consent is therefore still legally required.