On July 10, 2023, the European Commission (EC) adopted an Adequacy Decision regarding the EU-U.S. Data Privacy Framework (DPF). The decision taken by the EC regarding the EU-U.S. DPF enables organisations to certify their compliance with the EU-U.S. DPF, simplifying the process of transferring personal data from the EU to the U.S. The EU-U.S. DPF represents a significant step in the transatlantic dialogue regarding data flows and it is an advancement in the regulation of data transfers between the EU and the U.S.
Background
The transfer of personal data from the EU to non-EU/EEA countries (“third countries”) can be made only on condition that the importing country guarantees a suitable level of data protection based on an adequacy decision issued by the EC. This means that the EC has evaluated the laws and practices of the importing country, and it has confirmed that it provides an adequate level of protection.
The EC has previously issued adequacy decisions regarding the transfer of personal data to the U.S. in the “Safe Harbor” (2000) and “Privacy Shield” (2016) cases. However, the Court of Justice of the European Union (CJEU) invalidated both frameworks in the cases “Schrems” (2015) and “Schrems II” (2020), respectively, because the U.S. legal framework allowed U.S. Intelligence Agencies to access the personal data of EU individuals when it was processed by U.S. companies or transferred to the U.S.
Since 2020, after the invalidation of the “Privacy Shield” in Schrems II by the CJEU, transfers of personal data to the U.S. could no longer be based on the adequacy decision. Instead, companies in the EU engaging U.S. service providers or sharing data with entities belonging to the same group of undertakings had to rely on appropriate safeguards to conduct the transfers of personal data. The most essential safeguards were the Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). However, these two mechanisms are not efficient since they require a lengthy negotiation with the counter-party (in the case of SCCs) or the approval of the European Data Protection Board (in the case of the BCRs), and they require the evaluation of the concrete circumstances of the transfers, including the identification and mitigation of the risks inherent to the transfer via the Transfer Impact Assessment (both for the SSCs and BCRs).
What changed?
After months of negotiations and to address EU concerns related to the access from U.S. Intelligence Agencies to personal data from EU individuals, U.S. President Biden issued Executive Order (EO 14086) that introduced new safeguards for accessing such data. The EO 14086 contains three core elements: it establishes the data protection principles to which U.S. organizations could adhere by self-certification, it places limitations on U.S. intelligence activities, and it implements a redress mechanism for complaints about U.S. intelligence activities regarding data transferred to the U.S. This executive order, along with further implementing decisions taken by U.S. authorities, paved the way for the EC to approve the EU-U.S. DPF.
Now what?
The approval of the EU-U.S. DPF means that from July 10 onwards, the U.S. ensures an adequate level of protection for the personal data transferred from the EU to self-certified organizations in the U.S. The EC will review the EU-U.S. DPF in one year (in July 2024) and if the revision is successful, subsequent revisions will take place every four years.
At the same time, the U.S. Department of Commerce will maintain and make available to the public an authoritative list of U.S. organizations that have self-certified and declared their commitment to adhere to the EU-U.S. DPF Principles (“the Data Privacy Framework List”). The EU-U.S. DPF website is operative (check it out here) and now U.S. organizations can self-certify their adherence to the EU-U.S. DPF principles to benefit from the free flow of personal data between the EU and the U.S.
What companies should do now?
Below is an overview of the measures and recommendations for companies to navigate this new legal framework regarding the transatlantic flow of personal data. For convenience, we will separately evaluate the steps that both U.S. companies and EU companies should take.
1. American companies
Differently from other adequacy decisions issued by the EC, where organizations in the importing country can automatically benefit from the adequacy decision, organizations in the U.S. must self-certify their adherence to the EU-U.S. Principles to the U.S. Department of Commerce.
This can be done either by renewing and updating a self-certification already obtained in the past under the “Privacy Shield” or submitting a new self-certification to the U.S. Department of Commerce.
Steps for the self-certification
Organizations that plan to self-certify to the EU-U.S. DPF should take the steps listed below.
- Evaluate the eligibility to participate in the EU-U.S. DPF
Not every company or organization can participate in the EU-U.S. DPF program. To participate in the program, the organization must be subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DoT). In this regard, it is important to highlight that the FTC lacks jurisdiction over banks, telecommunication companies, air carriers, non-profit organizations, and, in general, insurance companies (see here). This means that companies operating in these sectors cannot self-certify under the EU-U.S. DPF. On the dedicated website, the Department of Commerce encourages companies that are uncertain whether they are under the jurisdiction of the FTC or DoT to contact them for more information and assistance (here).
- Draft an EU-U.S. DPF-compliant Privacy Policy
Organizations participating in the EU-U.S. DPF program must align their public-facing privacy policy to the requirements of the EU-U.S. DPF Principles. For instance, participating companies must clearly and conspicuously provide information about the type of personal data collected, its commitment to processing personal data according to the EU-U.S. DPF Principles, the purposes of the processing, contact points for inquiries or complaints, third parties to which it discloses the data, individuals’ rights, the independent dispute resolution body designated to address the complaints, etc. The full list of elements can be found here.
- Establish an appropriate independent recourse mechanism
Before applying for self-certification, organizations must designate an independent dispute resolution body to address complaints and provide appropriate recourse to individuals. Organizations, in general, can choose either to:
a) agree to cooperate with and comply with the advice of the appropriate European Data Protection Authorities regarding the personal data they intend to process relating to EU individuals.
b) appoint an alternative dispute resolution provider based in the EU.
c) appoint an alternative dispute resolution provider based in the United States.
Organizations must include in their Privacy Policy a reference to, as well as relevant contact information for, the independent recourse mechanism.
- Implement verification mechanisms
Self-certifying organizations must develop procedures to verify that the claims made about its EU-U.S. DPF privacy practices are true and that those privacy practices have been implemented. These verifications can be made either through an “internal” self-assessment (conducted by the organization itself) or via outside compliance reviews (assessments made by third-party providers).
- Other activities
There are other activities that self-certifying organizations must take into account for the certification process. Among other activities, they must:
a) Contribute to the Binding Arbitration Mechanism. They must pay the contribution to the fund developed to cover the arbitral costs, including arbitrator fees.
b) Designate a contact within their organization to address issues related to EU-U.S. DPF compliance. This contact can be either the corporate officer that is certifying the organization’s compliance with the EU-U.S. DPF Principles, or another official within the certifying organization, such as a Chief Privacy Officer.
c) Complete the “Self-Certification Information” after logging in via the EU-U.S. DPF program website (the information required can be found here) and pay the self-certification fee.
After registering for the self-certification
Companies that have been self-certified must be aware that failure to comply with the EU-U.S. DPF Principles is enforceable by the Federal Trade Commission (FTC) under section 5 FTC Act (regarding the prohibition of unfair or deceptive acts in or affecting commerce). They must also complete an annual re-certification to the U.S. Department of Commerce to maintain the self-certified status.
2. European organizations transferring data to the U.S.
Now, what should companies on this side of the Atlantic do? Companies in the EU can now reconsider their practices regarding the engagement of U.S. service providers, because from July 2023 the regime for the transfers of personal data to the U.S. is less stringent. However, it is important to remember that a third-party risk management procedure should still be in place and vendor vetting should still be conducted.
The first thing EU organizations should do is to check whether the party receiving the data is in the Data Privacy Framework list. Companies can quickly check this information here.
Where a company is not listed in the EU-U.S. DPF list, the data exporter should either dismiss the non-listed organization or take the same measures it would have taken with any U.S. vendor in the previous month. This means that companies must sign a Data Processing Agreement (DPA), rely on an adequate transfer mechanism like SCCs, conduct a Transfer Impact Assessment (TIA), and implement technical and organizational measures as necessary to mitigate the identified risks. It is relevant to know that there is consensus in that the risk level posed by the transfers to the U.S. after the enactment of the EO 14086 and the EU-U.S. DPF should be lower due to the additional safeguards, but this is an evaluation that should be made in a case-by-case basis.
If a company is listed in the EU-U.S. DPF list, the process is more straightforward. In this case, companies must only enter into a DPA and perform third-party due diligence as with any other entity with which it shares or discloses personal data. Nothing more, at least in theory.
Future outlook
To start, the EU-U.S. DPF will provide more certainty to both EU and U.S. organizations processing and sharing personal data. From now on, companies on both sides of the Atlantic are legally guaranteed that if a company appears in the list of self-certified companies there is no risk inherent to the transfer. This removes all the concerns and uncertainties related to transfers that were commonplace before the framework entered into force. The EU-U.S. DPF also regularizes and legalizes a practice that was conducted by most companies under the previous regime. Transatlantic transfers of data were never stopped or suspended, not even after Schrems II and some sporadic enforcement decisions on the matter were taken by data protection authorities. It is noteworthy that some use cases provided by the EDPB were simply not possible for companies to implement (in fact, when it comes to evaluating transfers to cloud services providers or other processors which require access to data in the clear -Use Case 6 of the EDPB Recommendations 01/2020- the EDPB was “incapable of envisioning an effective technical measure to prevent that access from infringing on the data subject’s fundamental rights”, see here at para. 94).
However, EU companies should take some additional measures that, while not strictly required under the current regime, could be useful if the underlying situation changes. This is because the EU-U.S. DPF will be tested in courts, and it might potentially be annulled in the future. It is not a common practice to advise on the potential consequences of the invalidation of the law since laws are presumed to be enacted in conformity with the legal framework. However, history shows that very similar agreements were invalidated twice (see above), and it might potentially happen again in a couple of years.
In this context, enhanced due diligence is advised for companies transferring personal data from the EU to the U.S. since in the event of an invalidation this extra effort will be very useful for them. First, map your processing activities and your transfers (this is mandatory by GDPR), and keep an updated register of your vendors. We repeatedly saw last year that updating the SCCs was an incredibly complex task when companies’ records of vendors and contracts are unorganized, incomplete, or outdated. Second, keep on implementing and documenting safeguards to mitigate data protection risks as it was required to do so before. Even if these safeguards were primarily addressed to the risks of the transfers, many safeguards are also equally important to reduce privacy risks (think for instance access controls or encryption). Finally, as a good practice and where possible, continue to complete and attach SCCs to the DPAs. SCCs constitute very high contractual assurances regarding the processing of personal data by third parties. U.S. service providers should by now be familiar with the SCC 2021 version and they should have implemented them routinely during the past two years. These measures, taken together, will assist companies in navigating compliance if the EU-U.S. DPF is in the future invalidated by the CJEU.
If you want to stay up to date with the latest news on the privacy and security field, follow us on LinkedIn. We post regularly about the most important news that companies should be aware of in this area.
At White Label Consultancy, we have assisted many clients worldwide in reducing the risks of processing and transferring personal data, as well as providing advice on various domestic and international privacy and data security matters. For more details feel free to contact us using the contact form.
