On the road again
The international transfer of personal data spun off the information superhighway when the CJEU invalidated Privacy Shield certification as a transfer mechanism in 2020. The new EU-US Data Privacy Framework, adopted in July, seeks to get things back on the road. Elaine Morrissey hits top gear
On 10 July 2023, the European Commission adopted its adequacy decision (approval) for the EU-US Data Privacy Framework (DPF), entering into force with immediate effect. This means that there is now a valid transfer mechanism for those companies that certify to the DPF (in essence, ‘Privacy Shield 2.0’).
This is very welcome and anticipated news for global organisations and for EU organisations engaging vendors in the US. This means that EU organisations can transfer EU personal data to organisations in the United States who certify to the DPF.
Certification to the DPF, in essence, bolsters an organisation’s privacy framework.
One mechanism to transfer personal data from the EU to the US was Privacy Shield certification.
The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US
Department of Commerce, the European Commission, and the Swiss administration to provide companies with a mechanism to comply with data-protection requirements when transferring personal data from the EU and Switzerland to the US.
However, in 2020, the Court of Justice of the EU invalidated the Privacy Shield certification as a transfer mechanism.
Following the invalidation of Privacy Shield, many organisations sought to rely
on standard contractual clauses (SCCs) as a transfer mechanism – and many readers will be all too familiar with the challenges of SCCs.
It’s been a bumpy ride – but help is here!
While Privacy Shield could no longer be relied on as a transfer mechanism, over 2,500 organisations continued to self-certify to the framework in anticipation that a new framework would come into place. (That number is higher when you include ‘covered entities’. For example, while Amazon is one listing, it has five covered entities.)
The EU and the US had been working on an updated framework since the invalidation of Privacy Shield as a transfer mechanism.
Update
On 10 July 2023, the EC adopted its adequacy decision (approval) for the EU-US DPF, which entered into force with immediate effect. This means that there is now a valid transfer mechanism for those companies that certify to the EU-US DPF.
It is different to other adequacy decisions because, to avail of the benefits of the adequacy decision, organisations have to certify to the Data Privacy Framework.
For organisations already operating to a GDPR standard, this certification is relatively straightforward.
For US-based companies dipping a toe into the EU market, however, there is
much to do to meet the standard in advance of submitting an application.
Certifying organisations must commit to comply with a detailed set of privacy obligations – this includes complying with GDPR-style principles: for example, purpose limitation, data minimisation, and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.
The new Data Privacy Framework Programme is the first stop for information
on certification.
The adequacy decision also supports other transfer mechanisms, for example, the use of SSCs and binding corporate rules.
This is welcome, in light of a recent Irish Data Protection Commission decision against Facebook/Meta, which, in essence, found that the SCCs and Meta’s supplemental measures were not sufficient, due to US surveillance of data and a lack of redress for individuals.
The DPF addresses the key issues in the Facebook/Meta decision.
For those organisations that retained their Privacy Shield certification, they now breathe a sigh of relief as they are rewarded for their loyalty.
Such organisations have automatically transitioned to DPF and have been able to immediately rely on DPF as a transfer mechanism.
Who does this affect?
This is very good news for global organisations and for companies engaging
vendors/suppliers in the US.
The mammoth task set by SCCs and the need for supplementary measures was, in essence, impossible for any one organisation to achieve – organisations were tasked with making adequacy decisions themselves.
The DPF also assists those relying on SCCs to transfer data from the EU to the US. The list of those certified to DPF is publicly available on the DPF website and includes some household names, for example, Microsoft, Adobe, Amazon and Workday.
The decision also has had a positive impact on the need for transfer impact assessments (TIAs).
The CJEU decision (and subsequent guidance) made it clear that data exporters must conduct TIAs to assess, on a case-bycase basis, if the laws of the third country have an impact on the efficiency of the SCCs.
This was, effectively, an impossible task for any organisation, which was seen in the DPC decision against Facebook/Meta.
For those relying on the DPF, a transfer impact assessment will technically not be needed, as the adequacy decision for the DPF replaces the adequacy assessment in the TIA.
However, it is noted that we are only talking about the US here. If organisations are transferring EU personal data to countries outside the EU, and those countries to do not have adequacy decisions, a suitable transfer
mechanism will be required, together with consideration of supplementary measures and TIAs.
Data subjects
Who and what is the EU trying to protect?
The EU is protecting individuals (data subjects) within the EU and aiming to ensure that the level of protection their data has within the EU travels with that data.
As referred to, one of the biggest gaps was the lack of redress for individuals. However, this gap has now been closed.
Data subjects in the EU can submit a complaint to their national supervisory authority – in the case of Ireland, the Data Protection Commission – to make use of the new redress mechanism about the collection and use of their data by US intelligence agencies.
The supervisory authority will transmit the complaint to the relevant US authorities. The supervisory authority will ensure that the data subject is provided with information regarding the complaint-handling process and the outcome of the complaint.
This ensures that individuals can turn to their local supervisory authority in
their own language.
Complaints will be transmitted to the US by the European Data Protection Board. First, complaints will be investigated by the Civil Liberties Protection Officer of the US intelligence community.
This person is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights.
Second, individuals have the possibility to appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court (DPRC).
This court is composed of members from outside the US Government who are appointed on the basis of specific qualifications, who can only be dismissed for cause (such as a criminal conviction or being deemed mentally or physically unfit to perform their tasks) and cannot receive instructions from the government.
The DPRC has powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and can take binding remedial decisions.
For example, if the DPRC found that data was collected in violation of the safeguards provided in an executive order, it could order the deletion of the data.
In each case, the court will select a special advocate with relevant experience to support the court, who will ensure that the complainant’s interests are represented and that the court is well informed of the factual and legal aspects of the case.
This will ensure that both sides are represented and introduce important guarantees in terms of fair trial and due process.
Once the Civil Liberties Protection Officer or the DPRC completes the investigation, the complainant will be informed that either no violation of US law was identified, or that a violation was found and remedied.
At a later stage, the complainant will also be informed when any information about the procedure before the DPRC – such as the reasoned decision of the court – is no longer subject to confidentiality requirements and can be obtained.
This new redress mechanism is available to individuals across the EEA, as the EU, Iceland, Lichtenstein, and Norway were designated as ‘qualifying states’ by the US Attorney General on 30 June 2023.
What about the UK?
The adequacy decision sets the stage for the proposed UK extension to the DPF, facilitating data flows between the UK and the US to be introduced under UK law.
Such a framework requires the US to designate the UK as a ‘qualifying state’ and the UK Secretary of State to issue an adequacy decision.
The Department of Commerce has issued an advisory that, from 17 July 2023, US organisations that are part of the DPF can also self-certify for the UK extension, but cannot rely on it for UK personal-data transfers until the UK adequacy regulations come into force.
There is no clear timeline for establishing the UK extension, but this is
understood to be a priority.
The UK and US have reached a commitment to establish the UK Extension to the Data Privacy Framework, which will create a ‘data bridge’ between the two countries.
Similar to the UK, on 17 July, the Swiss-US DPF also became operational. Entities certified under the Swiss-US Privacy Shield Framework will transition to the DPF.
However, as with the UK, transfers cannot be made until Switzerland issues an adequacy decision.
All good news?
While this is good news from an EU-US perspective, it is highly likely that the DPF will be challenged. However, the EU and the US are confident that the DPF can withstand any such challenge.
International transfers are still a taxing topic, for example, those transferring data from China are currently in the process of navigating complex obligations, documentation, and certification or registration with relevant regulators.
The decision will be reviewed within one year and, thereafter, at least every four years. Those certified to the DPF will be monitoring the outcome of these reviews.
In summary, good news for now, with a few more bumps along the road, and plenty of challenges for solicitors and organisations operating in this space.
LOOK IT UP
LITERATURE:
Elaine Morrissey is a member of the Law Society’s Intellectual Property and Data Protection Law Committee and is assistant global DPO at ICON.
Read and print a PDF of this article here.
Elaine Morrissey
Elaine Morrissey is a member of the Law Society’s Intellectual Property and Data Protection Law Committee and is assistant global DPO at ICON.