How to transfer data to the US under GDPR 3.0: EU-U.S. Data Privacy Framework – briefly and clearly

Previously, Oksana Zadniprovska, Partner at Axon Partners, wrote a column for AIN.UA about the rules for transferring personal data to the United States. Recently, there have been important changes – the EU has recognized the United States as an adequate jurisdiction for data transfer. Read on to discover when this will work and what it means for IT business.

How to transfer data to the US under GDPR 3.0: EU-U.S. Data Privacy Framework – briefly and clearly

Let’s recall what happened with data transfer from the EU to the US

Here’s a brief summary. Before transferring personal data from the EU to the US, we had to bother with contracts and counterparty verification. The checks could have shown that transferring data there was a bad idea because there is a lot of intelligence there. If you transferred it anyway, you could get a fine from the EU regulator for violations in the field of personal data protection.

 

To be more specific. Based on the GDPR, the European General Data Protection Regulation, all countries can be divided into:

 

  • countries of the European Economic Area (EEA);
  • “adequate” countries – those that provide data protection “substantially equivalent” to the EU;
  • all other countries.

 

For the first two groups, you only need a data processing agreement (DPA). However, additional protection measures are required to transfer data to all other countries. Ukraine is on the third list; until recently, the United States was there too.

 

The very brief history of US “adequacy.” From 2000 until the end of 2015, according to the EU, the United States provided “substantially equivalent” data protection based on the Safe Harbor principles. Thanks to the efforts of activist Max Schrems, in 2015, these principles were canceled, and the EU-U.S. Privacy Shield Framework was adopted almost immediately. Another 4 years passed, and in 2020, the United States was again put in the corner with “everyone else” by the decision of the EU Court of Justice.

 

What the EU Court of Justice does not like all the time. The revocation of the adequacy status was attributed to the fact that the US intelligence community had too much power and that there was no mechanism for EU residents to protect their right to privacy against government and business interference. As a result, businesses had to either not transfer data to the United States at all or sign new standard contractual clauses (SCCs), and, before doing so, assess the impact of data transfer on the subjects’ rights. And pray? Because the regulators in France, Austria, and Italy have even banned Google Analytics outright and said that no SCCs will help.

 

So, transferring data to the US for the last three years has been a bit of an acrobatics.

What has recently happened to the US status under the GDPR

On July 10, 2023, the European Commission approved the decision on the adequacy of the United States. The program is called the EU-U.S. Data Privacy Framework (DPF). It provides for the principles of personal data protection and a new mechanism for EU residents to appeal against interference with their privacy. Businesses in the United States that will be subject to the program and their EU partners will not be required to assess the impact of data transfers on the rights of data subjects and sign the SCC.

 

What does the EU-U.S. DPF provide for?

А. Businesses in the U.S. that want to be considered trustworthy for transfers need to be certified.

 

Not just any company in the US can automatically transfer data from the EU. The company must be in a special register of certified businesses. To get there, you need to publicly confirm your compliance with the EU-U.S. DPF principles, adhere to them, and publish your privacy policies.

 

The formal steps include filling out an application on the program’s website. Certification is paid and depends on the size of the company’s annual revenue.

B. Certified businesses in the United States must comply with the EU-U.S. DPF principles

 

Businesses in the United States must comply with the following principles:

 

  1. Notice: The business must notify individuals in plain and understandable language, including whether they are participating in the program, what data they process and why, where to go with inquiries and complaints, to whom the data is shared, their rights regarding personal data, and which independent dispute resolution body they can contact with complaints.
  2. Choice: Businesses should develop a simple, clear, and accessible mechanism for individuals to express their unwillingness to have their data transferred or used for a purpose other than the one for which it was collected. For sensitive data (e.g., health data), only clear, unambiguous consent to dissemination or use beyond the original purpose should be required.
  3. Accountability for onward transfer: Organizations that receive data from a certified organization as controllers must comply with the Notice and Choice principles. They should conclude a contract with their agents (contractors/processors) that defines the rules and purpose of data processing before it is transferred.
  4. Security: Reasonable and appropriate measures must be taken to protect data from security breaches, taking into account the risks and nature of the data.
  5. Data integrity and purpose limitation: Businesses should only process data that is relevant to the purpose for which it was collected. Organizations should ensure that data is reliable, accurate, complete, and up-to-date for the relevant use. Data should not be stored if it is no longer needed for the original purpose.
  6. Access: Individuals should have the right to access data about them, as well as the right to request correction or deletion of inaccurate information or information processed in violation of the principles.
  7. Recourse, enforcement, and liability: Businesses must provide individuals with the opportunity to recourse against data processing violations free of charge. To do this, the organization must provide a recourse mechanism on its website, interact with regulators in the US and EU, and comply with binding arbitration and an independent dispute resolution body of its choice.

There are additional principles, rules, and exceptions to the principles, which can be found in the European Commission’s decision.

 

C. What happens if you declare compliance with the principles and violate them

If a business declares compliance with the listed principles, it will be included in the list of certified businesses. If the business then violates these principles, a regulatory authority in the United States (the U.S. Department of Commerce, the Federal Trade Commission, or the U.S. Department of Transportation, as applicable) may consider it an unfair practice. An independent dispute resolution body or arbitration may also notify the U.S. regulators of a failure to comply with their decision. The offending business may be removed from the list of certified entities and required to delete all data that has been transferred during this time under the EU-U.S. DPF. The list of excluded organizations will also be public.

 

What to do if we have a company in the EU but work with partners in the US

You can’t force your US partner to get certified so that your lawyers have less work. But at least you can check who is certified and who is not, and with certified providers, you don’t have to assess the impact of data transfer on the rights of the subjects and simplify the form of the data processing agreement.

 

It is still advisable to check certified providers for reliability, for example, whether their policies take into account the principles and what they write on their websites. For non-certified providers, you should continue to work with them in the same way as before – by checking them and signing the SCC.

 

You may also want to update your policies after checking your contractors and indicate that you only work with certified contractors, for example.

 

What to do if we have a company in the USA

If you are in the US, you may or may not be certified. This is a right, not an obligation.

 

As practice shows, it is nice to write in your policies that your business is certified. It’s a good lever to influence a client’s choice of a provider. So, if you decide to get certified, go through the data processing principles and think about where you have weaknesses. Eliminate them. Then, amend your public and internal personal data processing policies, and choose an independent dispute resolution body. And then apply for certification.

 

Remember that if you are on the certified list, it still doesn’t mean you don’t need to sign a data processing agreement (DPA). The DPA form will simply be simpler than standard contractual clauses.

 

In addition to declaring compliance with the principles, you will also have to comply with them in practice – realize people’s rights, respond to requests from the regulator, resolve disputes in a certain manner, update your own policies, and make sure that data is secure when transferring it to your contractors. In the future, you will need to renew your certification every year.

 

You don’t have to be certified and can continue operating as before. The dog lies buried in the uncertain future of EU-U.S. DPF. In a year, the European Commission will review how the mechanism works. And what is more risky is that it is very likely that the EU-U.S. DPF will be challenged again in the EU Court of Justice.

 

Uncertain future: Max Schrems to challenge EU-U.S. DPF

No one knows how long the new data transfer mechanism will last. Right-wing activists from the organization NOYB (including the aforementioned Max Schrems) are preparingto challenge the mechanism in the EU Court of Justice. The last data transfer mechanism between the EU and the US lasted for 4 years. In the new case, NOYB predicts that it will take at least 2 years for the new case to reach the EU Court of Justice.

 

If the EU Court of Justice accepts the position of Schrems and the team, the EU-U.S. DPF may be canceled. We will have to return to the old mechanisms with SCC and assessments. That is why some businesses are already deciding not to try to apply for the EU-U.S. DPF or to play it safe and continue signing the SCC along with the certification.

 

The EU-U.S. DPF may eventually be replaced by another solution agreed upon by the EU and U.S. governments because businesses need to transfer data more easily. However, the US is likely to continue to fight for the right to intelligence to protect “national security,” and human rights activists in the EU will argue that the US is not changing and is still far from EU-equivalent data protection.

 

So, we are collecting bets on who will break this vicious circle. In the meantime, we are using the available mechanisms to look like a reliable provider in the eyes of EU businesses.

Author: Oksana Zadniprovska, partner at Axon Partners

0 Subscribe to the news