International Transfers: the EU-US Data Privacy Framework

Privacy and security

I’m kicking off the summer holidays with two blogs on what you need to know from 2023 for GDPR international transfers compliance. This is the first in which we’ll be diving into the shiny new EU-US Data Privacy Framework (“EU-US DPF”). My second blog will summarise what else you need to know from 2023, and give you my top ten survival tips. So stay tuned!

I’ve split this blog into 3 sections:

  1. Where were we before the EU-US DPF?
  2. What is the EU-US DPF?
  3. Key considerations before moving from the SCCs to the EU-US DPF.

1. Where were we?

    In case you need a refresher, under EU GDPR to lawfully transfer personal data outside the EEA we usually need: (1) an Adequacy Decision in favour of the country of destination, (2) Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) binding on the exporter and importer, plus a corresponding “transfer impact assessment” (“TIA”) and supplementary measures, or (3) (very rarely) an Article 49 exemption (e.g. explicit consent).

    The position is broadly the same for transferring personal data outside the UK, subject to some quirks. (Check out my myth-busting video on that here.)

    It’s worth remembering that a “transfer” means letting a third party process the personal data in any way. This is wider than just physical transfers and includes (e.g.) allowing them to look at, remotely access, store, copy or receive the data.

    If you’d like more information on international transfers generally, I’ve put together a collection of videos on the international transfer rules, which are available at the links below:

    Transfer Impact Assessments

    A “Transfer” Only Happens If I Send The Data Somewhere Else

    2. What is the EU-US DPF?

    Following the EU’s Adequacy Decision[1] granted on 10 July 2023, the EU-US DPF, available from 17 July 2023, allows self-certified US businesses to freely receive personal data from the EEA without further measures. This means that for some transfers to the US, SCCs, TIAs and supplementary measures will no longer be required[2].

    There are two components that led to the Adequacy Decision: (1) the overarching Executive measures implemented by the US Government that now apply to all transferred EEA personal data[3] and (2) the commercial requirements for US businesses self-certifying under the EU-US DPF.

    (1) US Executive measures

    The overarching Executive measures were enacted by the Biden Administration through Executive Order 14086 (“EO 14086”) and the new Attorney General Regulation it required (“AG Regulation”). These aim to remedy the deficiencies in US surveillance law and practices, as identified in Schrems II, by:

    A. Applying “Enhancing Safeguards” to surveillance policies and procedures of US authorities to ensure that the powers exercised are solely those “necessary” and “proportionate” for the relevant “legitimate” aim; and

    B. A two-step redress mechanism for individuals in “qualifying states” (currently only the EEA) who believe that US surveillance activities relating to them have violated US law. This will include review by the Civil Liberties Protection Officer and Data Protection Review Court.

    Importantly, these measures apply to all processing of the personal information of individuals in qualifying states. Therefore, these measures also apply to data transferred under other transfer mechanisms, such as the EU Standard Contractual Clauses (“SCCs”) and BCRs. Indeed, the EDPB has confirmed that these “should” be taken into account in US TIAs[4].

    (2) The commercial requirements

    US organisations wishing to self-certify must also comply with the commercial requirements of the EU-US DPF. These measures are deliberately near-identical to those under the EU-US DPF’s predecessor, the Privacy Shield, which has allowed the US to grandfather across entities still certified under the Privacy Shield, subject to updating their privacy notices by October[5].

    They do not, however, affect any existing obligations for businesses already subject to EU GDPR, local law requirements for HR and sensitive data or more stringent requirements under US law[6].

    To self-certify:

        1. The business must be regulated by the US FTC or Department of Transport (DoT)[7]. (This means that the EU-US DPF is not available for some businesses, e.g. banks and non-profits).
        2. The business must agree to comply with the 7 “Principles” of the DPF[8], and their 16 “Supplemental Principles”[9], the flavour of which will be familiar to GDPR practitioners.
            1. Notice[10] – the organisation must publicly disclose and comply with privacy notice(s) setting out details of the processing, and how the organisation complies with the other principles (e.g. choice, onward transfers, complaints and redress mechanisms)[11]. The privacy notice must declare that the organisation is participating in the EU-US DPF and provide a link to the listof participating organisations (see below). (Additional requirements and exceptions are available for HR, travel, scientific research and publicly available data[12].)
            2. Choice[13] – the organisation must provide “readily available and affordable”[14] opt-out mechanisms for new “materially different” uses and transfers to third party controllers of personal data. For sensitive information (wider than GDPR special category data), these must generally be opt-in instead[15]. These obligations likely require distinct controls and processes in addition to any existing GDPR consent and objection mechanisms. (Additional requirements and exceptions are available for HR, travel, scientific research and publicly available data[16].)
            3. Accountability for onward transfers[17] – the organisation must execute a contract with third party onward recipients requiring them to apply the same level of protection as the Principles, use the data only for specified purposes, and notify if they cannot meet their obligations under the Principles. For recipient “agents” (processors) the contract should also include certain “Article 28 lite” obligations (e.g. only act on instruction). Intra-group transfers between controllers may alternatively be made pursuant to other mechanisms (e.g. BCRs) where the participating organisation remains responsible for compliance with the Principles.
            4. Security[18] – the organisation must take “reasonable and appropriate measures” to protect the data from a personal data breach.
            5. Data integrity and purpose limitation[19] – the organisation should only process the personal information “relevant for the purposes”, and “take reasonable steps” to ensure that it is “reliable… accurate, complete, and current”. Processing should only be undertaken for identified and compatible purposes. “Compatible processing” includes e.g. customer relations, legal obligations and rights, and “other purposes consistent with the expectations of a reasonable person given the context of the collection”[20].
            6. Access[21] – individuals must have access to their personal information, and be able to correct, amend and delete that information where inaccurate or unlawfully processed. These provisions broadly mirror the GDPR data subject rights but, except in respect of HR data[22], are generally more favourable to the organisation in scope, e.g. the scope of a search, or when to refuse a request or charge a fee[23].
            7. Recourse, enforceability and liability[24] – to support the redress mechanisms introduced in the Executive measures, the organisation is obliged to (i) provide a free independent recourse mechanism, which shall be able to investigate and resolve complaints and disputes, and (ii) respond “promptly” to enquiries from the EU-US DPF Department, including regarding complaints referred from EU supervisory authorities. Direct cooperation with the EU supervisory authorities is required of organisations receiving HR data[25], or otherwise selecting to do so as their independent means of redress[26]. Those organisations may also obtain binding advice from an “informal panel of [supervisory authorities] established at the EU level”[27]. Organisations generally remain liable for processing by their agents[28].

      C. The business must publish its privacy notice(s) and register with the EU-US DPF Program. The privacy notice(s) should be publicly available, preferably on the organisation’s public website[29]An organisation is not able to rely on the EU-US DPF for transfers until it has been approved and appears on the DPF List of participating organisations.[30]

      It is important to note that the DPF requirements only relate to the international transfer rules, and do not displace any other requirements under GDPR. For example, contracts with US processors must still include the Article 28 clauses (which would include the DPF organisation flowing those obligations down to subprocessor onward recipients).

      3. Key considerations before moving from the SCCs to the EU-US DPF

      If you’re thinking about moving to the DPF or relying on the DPF instead of existing SCCs, it’s worth considering the following points:

        1. The DPF cannot apply to certain data transfers. Certain transfers, entities and data are not within scope of the DPF – for example:

            • Non-EU controllers and transferors – the EU-US DPF is only available for “eligible organizations in the United States receiving personal data from the [EEA]” (emphasis added) and not for “transfers from entities located outside the [EEA]”[31] e.g. a US company directly subject to EU GDPR, cannot rely on the DPF to make transfers to other US companies, such as other group companies or service providers. Therefore, contracts for groupwide US-based service providers may need to rely on both the EU-US DPF and SCCs to ensure all necessary transfers can be made.
            • Intra-group and more complex international transfers may still require SCCs or BCRs – as above, e.g. if the data is transferred from the EU group company to an Argentinian subsidiary and then to the US head office, we’ll need another transfer mechanism like SCCs or intra-group BCRs.
            • US organisations not subject to regulation by the FTC or DoT – certain organisations, such as banks and non-profits, are regulated by other entities and therefore cannot certify.
            • Excluded data – Personal information gathered for publication, broadcast and other public journalism, or which has been previously published and sourced from media archives cannot be transferred under the DPF[32].

          2. Enforcement; the EU-US DPF is not a tick-box exercise and not identical to GDPR

          3. Don’t miss your other GDPR obligations and clauses (e.g. Article 28). If you’re replacing or removing the SCCs from your contracts, make sure that you’ve included your data sharing and processing protections elsewhere, and any relevant local law obligations for e.g. HR and sensitive data are set out. Similarly, if you’re binning a TIA, make sure that it doesn’t leave a hole in your compliance or remove a key security commitment previously framed as a “supplemental measure” (e.g. encryption). Some businesses may also have used their TIAs as part of their data mapping, Article 30 Record of Processing Activities (ROPA), legitimate interest assessments (LIAs), or data protection or privacy impact assessments (DPIAs and PIAs).

          4. Better protections for controllers (and data subjects)? If the exporter is particularly concerned about the relevant data being transferred, then they may choose to still rely on the lengthier and more particular controls of the SCCs (e.g. enhanced liability, rights relating to subprocessors and audits, direct oversight of EU supervisory authorities, and local EU governing law).

          5. Costs. There are certification costs associated with the DPF, plus additional costs[33] if the organisation is subject to direct cooperation with the EU supervisory authorities (e.g. by receiving HR data).

          6. Interpretation and compliance with EU law and principles? US law generally applies to “questions of interpretation … compliance with the Principles and relevant privacy policies”, “except” if the organisation has committed to direct cooperation with the EU supervisory authorities[34]. The precise implications of this are unclear, however, it may mean that certain concepts, e.g. “access” or “consent”, need to be applied in accordance with their wider reciprocal terms under GDPR for those organisations. We may see further guidance come from the informal panel of supervisory authorities available to those organisations, with which, notably, they “undertake” to comply[35]. (This guidance may also be relevant for other entities seeking to transfer personal data to the US, so one to keep an eye on.)

          7. Challenge. Schrems has confirmed[36] that NOYB will be challenging the EU-US DPF, including EO 14086 and the AG Regulation. It is unclear how long such a challenge would take, but it’s worth keeping in mind, given the additional compliance time/cost, and parties may wish to maintain their existing SCCs and TIAs as a “back-up” if the DPF and/or Executive measures fall away.

          8. Not yet available for UK or Swiss transfers. Although organisations can already certify under the UK extension of the EU-US DPF and the Swiss-US DPF, they will not be available until the UK and Switzerland have made their respective adequacy decisions.

          9. Another repapering? If you’ve already executed the SCCs then either party may consider it unnecessary (or just tiresome) to repaper the agreement. For example, if the contract doesn’t otherwise provide for other jurisdictions, restrictions on further processing, the Article 28 clauses or complex transfers (as per above).

          10. Check in with your US and EEA counterparties. Regardless of the points above, it is worth checking in on both sides of the Atlantic to work out what your key contacts are doing and/or expecting from you, and how you and/or they are implementing the requirements under the DPF. I’d always recommend digging out those data maps and due diligence questionnaires. For example, are any security measures changing, do you/they get fewer audit and subprocessor rights, does the certifying organisation want to process HR data (with the direct EU cooperation that comes with it), how are you/they implementing the necessary opt ins and outs, and have onward transfer contracts been updated?

           
          ____________________________________

          Keeping on top of it. We’ll be monitoring developments, and publishing the second of these two blogs on wider international transfer developments soon. So watch this space, follow us on LinkedIn or Twitter.

          Thanks for reading.  We’d love to hear from you if you have any questions or you have any topics you’d like covered in future briefings, webinars or vlogs.

          Contact Eleanor Hobson for more information.


           

          [1] Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, C(2023) 4745 final.

          [2] Confirmed by the European Data Protection Board (“EDPB”) in its “Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023” dated 18 July 2023, available at: https://edpb.europa.eu/system/files/2023-07/edpb_informationnoteadequacydecisionus_en.pdf

          [3] As above for fn2.

          [4] See fn2.

          [5] EU-US Data Privacy Framework Program, Supplemental Principle 6(e)

          [6] Overview (1) and Supplemental Principles 9 and 13

          [7] Overview (2)(a)

          [8] Part II, Principles

          [9] Part III, Supplemental Principles

          [10] Overview (2)(b), (c) and (d), and Principle 1

          [11] See detail at Principle 1(a)

          [12] Supplemental Principles 9, 13, 14 and 15

          [13] Principle 2 and Supplemental Principle 12

          [14] Supplemental Principle 12(a)

          [15] Exceptions are noted at e.g. Supplemental Principle 1

          [16] Supplemental Principles 9, 13, 14 and 15

          [17] Principle 3 and Supplemental Principle 10

          [18] Principle 4

          [19] Principle 5

          [20] See footnote 6 to Principle 5.

          [21] Principle 6 and Supplemental Principle 8

          [22] Supplemental Principle 9(c)

          [23] For example, Supplemental Principles 8(b)-(g), 14(e) and 15(d)

          [24] Principle 7 and Supplemental Principles 7 and 11

          [25] Supplemental Principles 5(d) and 9

          [26] Supplemental Principle 5(a)-(b)

          [27] Supplemental Principle 5(c)

          [28] Principle 7(d)

          [29] Supplemental Principle 6(b)(iii)(1) and (c), EDPB information note footnote 5.

          [30] Overview (3) and Supplemental Principle 6(a) and footnote 12.

          [31] See EU-US-DPF Program, Overview (1). See also, e.g., Overview (2) “In order to rely on the EU-U.S. DPF to effectuate transfers of personal data from the [EEA]”, and Principle 1(a)(iii) “all personal data received from the [EEA]” (emphasis added),.

          [32] Supplemental Principle 2

          [33] Supplemental Principle 5(e)

          [34] Overview (7).

          [35] Supplemental Principle 5(c)

          [36] See: https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu

          Share:

          More Posts

          Send Us A Message