This July the European Commission reached a new decision seeking to ensure appropriate protection to data transfered from the EU to the United States. The previous agreement between the EU and the US, the “Privacy Shield”, has been declared ineffective after complaints against Facebook by human rights defender Maximillian Schrems, the revelations by Edward Snowden, and the Facebook-Cambridge Analytica scandal.

The new decision is already in force and outlines a few important requirements for businesses:

• US data controllers will have to confirm that they comply with the requirements set out in the decision, either internal measures such as staff training or external ones such as audits, inspections or technological solutions.
• US data controllers will be required to ensure that appropriate technical and organisational measures are in place to adequately protect personal data.
• US data controllers will be required to ensure the exercise of the rights of data subjects, including the right to access, rectify or erase the subjects’ data.
• A court will be set up to which EU citizens can turn if their rights are violated during data processing by US authorities or private parties.

In order to pass data from the EU to the US, data controllers in the US will have to be certified and added to the Data Privacy Frameworks List published by the US Department of Commerce.

What businesses should know:

• There will be simplified procedures in place for EU-based companies seeking to provide data to US-based data controllers which are on the Data Privacy Frameworks List, thereby making it easier to work with certified and listed US-based data controllers.
• If the US-based data controller is not on the list, the security measures outlined in Article 46 of the GDPR will be required.