What is the DPF?
The EU – US Data Privacy Framework (“DPF”) enables entities to export personal data of EU individuals to DPF-certified recipients the United States in compliance with the European Union General Data Protection Regulation (“GDPR”). The DPF, which was approved by the European Commission ("Commission") on July 10, 2023, replaces the now-defunct Privacy Shield framework which was invalidated by the European Court of Justice in July 2020 in the Schrems II decision.
While there are alternative means of legitimizing such data transfers, these entail processes that many companies find cumbersome.
Adoption of the DPF follows a 2022 Executive Order signed by President Biden which introduced enhanced safeguards for the access to personal data by US intelligence agencies and facilitated an independent redress mechanism to handle and resolve complaints by Europeans concerning collection of their data for national security purposes.
Who can self-certify under the DPF?
The DPF is available to US entities regardless of whether they function as processors or controllers.
How can our US affiliate certify for the DPF?
To self-certify for the DPF, companies must register on the Data Privacy Framework website and demonstrate adherence to the DPF requirements. Certification is effective once approved by the U.S. Department of Commerce. Entities must re-certify annually. The Data Privacy Framework website includes resources, self-certification instructions, and a list of compliant organizations.
While certifying under the DPF is voluntary, a commitment to comply with the DPF requirements becomes enforceable under U.S. law once made.
Companies that wish to self-certify under the DPF may need to alter their practices related to personal data collection and use to ensure that they comply with DPF requirements.
We are an Israeli company. Is the DPF relevant to us?
Yes. The DPF has commercial significance to Israeli companies for three main reasons, regardless of whether or not they have affiliates in the U.S.:
- GDPR Compliance. As we've noted in prior client releases, applicability of the GDPR is determined on the basis of the location of the data subject, not on the basis of the location of the entity controlling or processing personal data. Therefore, Israeli entities that are physically present in Israel will under certain conditions be subject to obligations under the GDPR, even where activities are not physically conducted in the EU--for example, when personal data of an EU data subject is processed in connection with providing goods and services. Where Israeli companies export EU personal data to the U.S. (for example, to U.S. affiliates or U.S.-based service providers), these Israeli companies are responsible for ensuring that these data exports are lawful. The DPF, which legitimizes such transfers to DPF-certified recipients, will ease the process of exporting this data to the US.
- Compliance with Israeli law. Like EU law, Israeli law imposes restrictions on the export of personal data from Israeli databases. One of the ways to legitimize data transfers to the U.S. from the perspective of Israeli law is to demonstrate that the data recipient is located in a country which is certified as adequate for purposes of data transfers from the EU. This Israeli legal requirement applies to export of any data from Israeli databases to U.S.-based recipients, not only to exports of data originating in the EU. Prior to 2020, many Israeli companies relied on the Privacy Shield mechanism to legitimize these transfers for the purpose of Israeli law compliance. When the Privacy Shield framework was invalidated in 2020, Israeli companies who relied on this mechanism were required to scramble to make alternative arrangements. It is expected that the DPF will provide a legal basis under Israeli law for exporting data from Israeli databases to the U.S-based recipients. Additional requirements will need to be met to fully legitimize such transfers from an Israeli legal perspective, such as signing a data transfer agreement that meets Israeli requirements.
- Meeting requirements of EU Customers. Israeli companies are often required by EU customers to show compliance with EU data export restrictions. Ensuring that U.S.-based recipients of EU personal data recipients are certified as DPF compliant will help meet EU-based customers’ requirements.
Does the DPF change the recent Israeli regulations relating to Israeli databases that include personal data of EU data subjects?
No. The DPF provides a mechanism for exporting EU personal data from Israel to the U.S in a manner that is GDPR-compliant. This is distinguished from the Privacy Protection Regulations (Provisions Regarding Data Transferred to Israel from the European Economic Area), 2023 recently approved by the Israeli Knesset, which apply to EU personal data imported to Israel. A full discussion of these regulations can be found here.
What we should we do now?
- Evaluate the commercial benefits of DPF self-certification for U.S.-based affiliates. It is likely that the DPF face challenge, but for the time there may be advantages in utilizing this framework rather than relying on alternative arrangements for sanctioning transfers.
- Evaluate whether U.S.-based data recipients are DPF self-certified or are in the process of certifying, or ensure that other approved transfer mechanisms are in place.
- Assess obligations to customers. Assess European customer relationships to determine if customer agreements require that that U.S.-based data recipients be DPF compliant.
Clients interested in self-certifying for DPF, verifying DPF certification of third parties, or who have other privacy law-related inquiries are encouraged to contact Arnon’s privacy team.
________________________________________________________________
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances
of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.
For the further information please contact:
|
|
|
