What is the Data Privacy Framework?
Current European law prohibits businesses from sending personal information about European citizens to companies in the United States (US) without specific contractual obligations to protect the privacy of the information. However, the current Data Privacy Framework (DPF) allows US companies that are “Certified” under the Framework to import and process personal data of European citizens without these contractual requirements.
Why is this important?
In April 2016, the European Union’s (EU) General Data Protection Regulation (GDPR) was approved. The GDPR defines the protections required to ensure the privacy and protection of the data of EU citizens. It is formally known as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. A mouthful to be sure. Approval of the GDPR repealed the previous Data Protection Directive 95/46/EC, which was approved in December 1995. While the 1995 Directive allowed each country in the EU to come up with its particular implementation, which varied across the EU countries, the 2016 Regulation (GDPR) is stronger in that it enforces the same rules across all affected countries.
The new DPF is not the first.
Several previous frameworks have been put in place to allow the transmission of information on European citizens to the US. The validity of these frameworks is based on the European Commission’s (EC) determination that each framework put in place is “adequate” to protect the privacy of EU citizens’ data. This is known as an “Adequacy Decision.”
The first Privacy Framework.
The initial such framework, the U.S.-EU Safe Harbor Framework, was approved by the EC in July 2000. However, the Framework was challenged in light of the recognition that US intelligence services could access personal data in violation of the Safe Harbor Adequacy Decision. The U.S.-EU Safe Harbor Framework was invalidated by the European Court of Justice in October of 2015.
The second Privacy Framework.
In July 2016, the next framework, called the EU-U.S. Privacy Shield, was approved by the EC. Unfortunately, that framework was also struck down by the European Court of Justice, in July 2020, due in large part to what were considered invasive surveillance programs that exist in the US.
The current Privacy Framework.
The current EU-U.S. DPF was announced in March 2022. The EC adopted an Adequacy Decision on the DPF in July 2023. One of the distinguishing elements of the new DPF is that it provides a Data Protection Review Court, which was created through an executive order from President Biden in October 2022, to allow challenges to potential privacy violations.
In addition to the EU-U.S. DPF, the United Kingdom (UK) and Switzerland, neither of which is a member of the EU, have adopted their own privacy frameworks, which are very similar to the EU-U.S. DPF.
PROMETRIKA’s Position.
PROMETRIKA is certified under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. A list of certified organizations is available here: https://www.dataprivacyframework.gov/list. In addition, PROMETRIKA’s Data Protection Officer is a Certified International Privacy Professional for the European regulations as qualified by the International Association of Privacy Professionals (https://iapp.org/). We believe this will make it easier and more expedient for PROMETRIKA to provide services to our clinical research sponsors that involve the personal information of European patients and providers.
PROMETRIKA is available to help with projects involving international transfers of data, and to answer any questions related to transfers, including those involving European countries.
