Finally – the much awaited alternative to Privacy Shield approved, allowing some certainty in transfer of personal data to the US
On 10 July, the European Commission (EC) adopted its much-awaited adequacy decision for the EU-U.S. Data Privacy Framework. This means that the EC accepts that the United States ensures an adequate level of protection – compared to that of the EU – for personal data transferred from the EU to US companies that have self-certified to the EU-U.S. Data Privacy Framework.
Why is this important?
Many businesses were baffled due to relatively-recent decisions of the Court of Justice of the European Union (EUCJ) that have ruled against the adequacy of the Privacy Shield framework for personal data transfers from EU to the US, and rendered a lot of uncertainty as to the legality of personal data transfers from the EEA to the US, and the applicable requirements to make such transfers legal. This is very significant for many businesses storing data on US based cloud services, such as Google Cloud and AWS and other SAAS services such as Salesforce and other Google services.
How does it work?
Following this adequacy decision, transfers to the US can be handled in the same way as intra-EU transmissions of data without having to put in place additional data protection safeguards. This is enabled due to two elements combined together:
- Self certification to participate in the EU-U.S. Data Privacy Framework.
The adequacy decision on the EU-U.S. Data Privacy Framework covers data transfers from any public or private entity in the EEA to US companies participating in the EU-U.S. Data Privacy Framework. US entities that wish to be included in the framework need to self-certify to participate in the framework. There will probably be much resemblance between the former privacy shield requirements and the new Framework.
- US Executive Order
To address the concerns raised by the EUCJ, as to the ability of US governmental bodies to access personal data transferred to the US and the ability of data subjects to get redress with respect to their rights concerning their personal information, the US signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, ensuring that personal data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate, and to establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.
For Europeans whose personal data is transferred to the US, the Executive Order provides for:
- Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
- Enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and
- The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.
What does the Privacy Framework Include?
US companies can certify their participation in the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for example obligations to:
- Respect privacy principles such as purpose limitation, data minimization and data retention,
- Implement data security measures
- Undertake responsibilities and implement measures related to sharing of data with third parties.
- respect data subject rights (e.g. to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data).
- offer redress avenues in case their data is wrongly handled, including before free of charge independent dispute resolution mechanisms and an arbitration panel.
Other transfer mechanisms
All the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules that continue to be alternatives to the EU-US Data Privacy Framework (e.g. when transferring to entities that are not self- certified to the framework).
For more information on the implications of the new adequacy decision on the way your business transfers personal data to the US and the requirements of the EU-US Data Privacy Framework self-certification, please contact info@lawlex.com.