EU-US Data Privacy Framework
The European Commission (EC) formally adopted an adequacy decision in relation to the EU.U.S. – Data Privacy Framework (“DPF”) on 10th July 2023, effective immediately.
The EC determined that the DPF, alongside commitments and measures implemented by the U.S. government provides adequate protection for the personal data of EU data subjects. The approval of the DPF allows EU businesses to transfer personal data to U.S. organisations that have self-certified and registered on the DPF list, relying on the EC’s adequacy decision as a transfer tool.
What does this mean for my EU/Irish company?
Where EU/Irish companies are transferring data to organisations that are confirmed to be on the DPF list in the U.S., under Article 45 of the GDPR, they can rely on the EC adequacy decision as the transfer tool and will no longer be required to ensure another appropriate safeguard (such as Standard Contractual Clauses) is in place, nor will supplementary measures be required. Transfer impact assessments will also no longer be required where the U.S. organisation is on the DPF list and it is anticipated that this will remove a large part of the administrative burden on EU/Irish companies in conducting personal data transfers in their business operations with U.S. organisations.
The U.S. Department of Commerce will publish and maintain a list of organisations who are certified under the DPF.
What if the U.S. Company is not listed on the Data Privacy Framework?
Where the U.S. organisation is not listed on the DPF, the transfer cannot be conducted based on an adequacy decision and therefore, appropriate safeguards will be required as before, such as the use of Standard Contractual Clauses and transfer impact assessments will still need to be conducted. The European Data Protection Board (“EDPB”) issued a statement and guidance for EU businesses seeking to rely on the DPF for data transfers on the 18th July 2023 [link here]. The EDPB statement confirms that data exporters can take into consideration the measures taken by the U.S. Government in respect of national security safeguards in their transfer impact assessments and in their use of Standard Contractual Clauses.
What does this mean for Data Subjects?
Data subjects whose data is transferred to the U.S. under the DPF, have an array of new rights and protections.
There now exists a two-stage redress mechanism that applies to all transfers of data to the U.S. (not exclusively to transfers relying on the DPF adequacy decision as a transfer tool) where national security is of concern and the Data Protection Review Court has been established. This redress mechanism allows the EU data subject to raise a complaint, at no cost, with their national supervisory authority who will keep them updated throughout the complaints process. In Ireland, complaints can be submitted to the Data Protection Commission who hands the complaint over to the EDPB who then transfers it to the US authorities to be dealt with. Where a violation of the data subjects’ rights is found to have occurred, the Court has binding powers to remedy such violation e.g. it can order that the personal data be deleted.
What steps have the U.S. Government taken to ensure an adequate level of protection?
- The US has signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”. This Executive Order introduces safeguards to ensure that personal data may only be accessed by U.S. intelligence agencies in circumstances where it is necessary and proportionate to do so and where there are defined national security objectives.
- The establishment of the two stage-redress mechanism outlined above.
- Enhanced oversight of signals intelligence activities to ensure compliance with the limitation of such surveillance.
What should my business do next?
- Review its transfers of personal data to the U.S. and establish if the organisations to which it is sending personal data is registered with the DPF.
- Ensure that any organisation purporting to be registered with the DPF is on the DPF list.
- Update transfer impact assessments to incorporate the changes to the U.S. data protection regime.