Table of Contents
The transfer of personal data from the EU to the US has been a contentious issue for some time. Recently, we have seen data protection authorities, such as Ireland’s Data Protection Commission, issuing large fines to companies relating to the GDPR’s international data transfer requirements. In May 2023, the Irish DPC fined Meta Platforms Ireland €1.2 billion for the unlawful transfer of personal data going back to 16 July 2020. The data was collected by its Facebook service and transferred to the US using Standard Contractual Clauses (SCCs). This decision followed the European Data Protection Board’s (EDPB) binding dispute resolution.
In light of ongoing concerns relating to EU-US data transfers and the necessity of international data transfers for trade and cooperation, the EU and US have been working towards establishing a Data Privacy Framework to facilitate the lawful transfer of data.
On 10 July 2023 the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF). The Framework is a self-certification programme where organisations can register, confirming that they have met certain standards and that they will comply with the DPF requirements. The effect of registration is that organisations may rely on the DPF as a lawful means to transfer data to the US. While the DPF Adequacy Decision is likely to be challenged, this Framework can be seen as an interim solution.
How the Framework Works in Practice
Organisations that Self-Certify under the DPF
The Adequacy Decision means that organisations can register to have their internal policies and procedures approved under the Framework to transfer data from the EU to the US without the need for other data transfer mechanisms such as SCCs and Binding Corporate Rules (BCRs). Where an importer of personal data has self-certified, the exporter of the data will not need to conduct a Transfer Impact Assessment (TIA) or Risk Assessment as the importer will be deemed to have adequate protection for the incoming personal data.
Organisations that Previously Registered under Privacy Shield
Organisations which have previously registered under Privacy Shield have 3 months to amend and update their references to Privacy Shield in line with the new Framework requirements. Where an organisation already meets all of these requirements, the transition is automatic. As per the US Department of Commerce, ‘the process to self-certify and re-certify annually will remain substantively the same.’
Other Transfers of Personal Data to the US
Where organisations continue to use SCCs and BCRs for the transfer of personal data, they must also continue conducting Transfer Impact Assessments (TIAs), as per the Schrems II decision.
There are a number of requirements in the DPF that organisations must comply with to participate. The US Department of Commerce summarised the Key Requirements as follows:
Informing individuals about data processing
- For the DPF to be considered enforceable under US law, participating organisations must include in their privacy policies a declaration of commitment to comply with the DPF Principles.
- Privacy policies must include a link to the US Department of Commerce’s Framework program website and a link to the independent recourse mechanisms to investigate individual complaints brought under the DPF Principles.
- Privacy policies must inform individuals of their right to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the participating organisation’s compliance with the DPF Principles, and the participating organisation’s liability in cases of onward transfer of data to third parties.
Maintaining data integrity and purpose limitation
Participating organisations must limit personal information to the information relevant for the purposes of processing. Participating organizations must comply with the data retention provision.
Providing free and accessible dispute resolution
Individuals may bring a complaint directly to a participating organisation and the participant must respond to the individual within 45 days. Participating organizations must provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved. If an individual submits a complaint to a data protection authority (DPA) in the European Union / European Economic Area, the US Department of Commerce’s International Trade Administration (ITA) has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days. Participating organizations must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
Cooperating with the US Department of Commerce
Participating organisations must respond promptly to inquiries and requests by the ITA for information relating to the DPF (or the UK Extension to the DPF, if applicable).
Ensuring accountability for data transferred to third parties
To transfer personal information to a third party acting as a controller a participating organisation must:
- Comply with the Notice and Choice Principles; and
- Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the DPF Principles and will notify the organisation if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate.
Transparency related to enforcement actions
Participating organisations must make public any relevant DPF related sections of any compliance or assessment report submitted to the Federal Trade Commission (FTC) or the US Department of Transportation if the organization becomes subject to an FTC or court order based on non-compliance.
Ensuring commitments are kept as long as data is held
If an organisation leaves the relevant part(s) of the DPF, it must annually affirm to the ITA its commitment to apply the DPF Principles to information received under the relevant part(s) of the DPF if it chooses to keep such data, otherwise, it must provide “adequate” protection for the information by other authorised means.
Although the DPF may be subject to challenge, organisations are opting to join the DPF as an alternative to SCCs or in some cases, in addition to SCCs. The team at Pembroke Privacy would be happy to discuss how we can help you to meet the DPF requirements or manage other transfer mechanisms.