The General Data Protection Regulation (GDPR) is one of the most wide-reaching and stringent data compliance laws and regulations, with penalties for violating its terms reaching 4% of an organization’s prior year worldwide turnover. Although some of its provisions, such as Chapter 5, have fed more debate and litigation than others, it’s in the best interest of any organization that does business in or with the European Union (EU) to prioritize abiding by its data sharing standards.
For personal data to flow between a data exporter from the European Economic Area (EEA) and a data importer operating in or from the US, a valid ground for transfer must be established. In other words, the GDPR requires that an EU data exporter use a transfer tool listed within Chapter 5 to move or grant access to data to a US data importer.
However, in the 2020 Schrems II decision rendered by the Court of Justice of the European Union (EU) found that US law did not offer essential guarantees to EU data subjects. Since then, transferring personal data in plain text from the EEA to the US has become a challenge, unless it was done on the basis of a derogation listed in Article 49. In the wake of the Schrems II ruling, EU national Data Protection Authorities (DPAs) opined that a risk-based approach, in which the data and its environment required evaluation to determine whether human rights and enforceability risks had to be fully mitigated, could not be pursued.
The EU-US Data Privacy Framework (DPF), the byproduct of the third adequacy decision issued by the European Commission concerning the United States, aims to solve this challenge. Following the adoption of President Biden’s Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O. 14086) and the Attorney General Regulation on the Data Protection Review Court, the European Commission found in July 2023 that the US now offers an adequate level of protection.
As the EU-US DPF takes effect, what is it really about and how will it impact your data governance practices?
What the EU-US Data Privacy Framework Is
As mentioned above, the EU-US Data Privacy Framework is a self-certification program intended to facilitate compliant transfers of personal data between the EU and US.
To simplify the process, the US Department of Commerce’s International Trade Administration (ITA) launched a DPF website explaining how to achieve self-certification. Participation in the DPF program requires an organization to annually re-certify to the ITA to confirm that it adheres to the DPF Principles.
Among the list of DPF principles with which self-certified companies must comply are seven commonly recognized data protection principles and 16 other supplemental principles, which are equally binding. The former cover:
- Notice – Defines the information that organizations must notify individuals about when they provide their personal information to the organization, including the organization’s participation in the DPF, purpose(s) for collecting and using data, and the individual’s right to access their personal data.
- Choice – States that organizations must offer individuals the ability to opt out of having their data shared or used for purposes that are materially different from the purpose(s) for which the was originally collected or subsequently authorized by the individuals. , and that individuals must explicitly consent to their sensitive personal data (e.g. health, demographic, political information) being shared or used.
- Accountability for Onward Transfer – Requires organizations to enter into a contract with the third party controller to ensure their compliance with the first two principles, and confirm their commitment to only share data responsibly and for the specified, approved purposes.
- Security – Emphasizes the need to take intentional steps to ensure personal information is protected from loss, misuse, unauthorized access, and alteration or destruction. This includes assessing the organization’s risks in processing personal data, and proactively mitigating them.
- Data Integrity and Purpose Limitation – Reiterates that personal information must only be used for the specified purposes for which it was collected, and/or that where relevant adequate de-identification techniques are applied for processing.
- Access – Grants individuals the right to access, correct, amend, or delete their personal information from an organization’s database if it is inaccurate or misused. The exception is in cases where providing access would be disproportionately burdensome or put others’ rights at risk.
- Recourse, Enforcement and Liability – Mandates that organizations and their selected independent recourse mechanisms promptly respond to inquiries and requests by regulators, that organizations arbitrate claims when an individual has invoked binding arbitration, and make public relevant sections of compliance or assessment reports submitted to the court or U.S. statutory body to the extent consistent with confidentiality requirements.
The list of supplementary principles is longer and can be found here, and includes considerations about sensitive data, journalistic exceptions, and verification.
Note that the ITA checks whether an organization’s submission is complete before adding it to the DPF’s list, and that it has the power to remove the organization from that list if it is found to have persistently failed to comply with the DPF Principles.
What the EU-US Data Privacy Framework Is Not
The EU-US DPF is not a carte blanche to data transfers between the EEA and the US. This is true for at least two reasons.
First, the DPF is a self-certification program. In other words, participation requires a US-based organization to self-certify to the ITA and publicly commit to comply with the DPF Principles. Although the decision to self-certify is voluntary, effective compliance with the DPF Principles is compulsory and the commitment to do so is enforceable under US law.
Second, the DPF self-certification program is not all-encompassing. In fact, it’s worth mentioning its limits. It can only benefit US legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the US Department of Transportation (DOT). Banks, insurance companies, and nonprofits are thus excluded from the program.
What the Future Holds for the EU-US Data Privacy Framework
It is hard to guess whether the EU-US DPF will stay with us for very long. The most obvious reason, which explains why the future of the DPF is still uncertain, is that legal challenges were announced just a few hours after the release of the European Commission’s adequacy decision, and some actions have already been initiated.
At the time of publication, more than 2,500 organizations are included in the ITA’s list.
What the DPF Means for Standard Contractual Clauses
While we await the resolution of the DPF legal saga, it is important to observe that the DPF is relevant for various transfer tools, including Standard Contractual Clauses (SCCs). SCCs are a set of standardized contractual clauses adopted by the European Commission, which can be used even when no adequacy decision has been issued, and which allow data exporters to impose upon data importers a series of obligations that align with EU data protection law. SCCs also grant data subjects third-party beneficiary rights, which are relevant in particular when the clauses are breached. SSCs are the most widely used transfer tool. In practice, they regularly supplement data protection agreements or addendums (DPAs), by either being added as an exhibit or included within a DPA by reference.
SCCs are thus a means to export through contract EU data protection law standards, to the direct benefit of both data exporters and data subjects. When parties to a data flow have some bargaining power, the annex that accompanies the clauses is often a means to force the data importer to disclose cross-border data flows to the data exporters.
Importantly, the DPF and the new adequacy finding significantly simplify the data exporters’ assessments, should they choose to rely upon SCCs. This has been confirmed by the European Data Protection Board, which clearly states that “when assessing the effectiveness of the Article 46 GDPR transfer tool chosen [including SCCs], data exporters should take into account the assessment conducted by the Commission in the Adequacy Decision.” This means that SCCs alone are likely sufficient to legitimize cross-border data transfers to the US, and there is no need to implement additional technical and organizational measures to mitigate against access to personal data by US public authorities.
Just like traditional DPAs used within the EEA, SCCs can thus be used as the basis for segmenting processing activities by purpose and data recipient in the context of EEA-US cross-border data transfers.
Next Steps
While the future of the EU-US Data Privacy Framework is uncertain, its continued rollout will undoubtedly be scrutinized by governing bodies in Europe, the US, and beyond.
To learn more about how to enable data de-identification and purpose limitation in accordance with the GDPR, check out this blog on why GDPR compliance is important and how to build a compliant data strategy in five steps.
