On 16 July 2024, the European Data Protection Board (EDPB) published two Frequently Asked Questions (FAQ) papers on the EU-US Data Privacy Framework (DPF): one directed at European businesses and the other focusing on European individuals.
They aim to provide welcome clarity to organisations who wish to transfer personal data to the United States under the DPF as a data exporter.
The very same week, US Secretary of Commerce Gina Raimondo and EU Commissioner for Justice and Consumers Didier Reynders met for the first periodic review of the DPF (DPF Periodic Review). The review marks one year since the DPF came into effect. Since then, the DPF has facilitated data flows that underpin more than 1tn dollars in EU-US trade and investment, with more than 2,800 enterprises having joined the DPF since its inception.
Background
The DPF is a self-certification mechanism for US companies which process EU personal data in the US.
It aims to ensure that the standards of essential equivalence set in the Schrems II decision of the Court of Justice of the European Union travel with EU personal data (see our previous analysis of the DPF here). It allows personal data to be transferred freely to US companies without further safeguards or authorisation procedures.
The DPF applies to any type of EU personal data transferred to the US from the EEA. Currently, only US companies who are subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC) or of the US Department of Transportation can self-certify.
EDPB FAQs for European Businesses
The EDPB’s FAQ paper for European businesses clarifies how such businesses should act when transferring EU personal data to US entities under the DPF. The guidance sets out several data transfer scenarios and specific actions required to ensure that such transfers comply with the General Data Protection Regulation (GDPR).
Crucially, the guidance states that EU businesses should, before transferring EU personal data to a US company that is, or claims to be, certified under the DPF, consult the DPF List (see here) to verify that the data importer has indeed successfully self-certified under DPF.
Where the data importer is not on (or has been removed from) the list, other grounds can be relied upon for the transfer to occur, such as Binding Corporate Rules or Standard Contractual Clauses.
The FAQ paper refers to three different data transfer scenarios. These are:
- Transfers to US subsidiaries of companies certified under DPF;
- Transfers to a company in the US acting as a controller;
- Transfers to a company in the US acting as a processor.
In respect of (1), an EU-based entity acting as data exporter must ascertain whether the parent company’s certification covers the subsidiary before transferring data.
In respect of (2), an EU-based entity must, before transferring data, ensure the transfer complies with the GDPR. Namely, it must ensure that there is a legal basis for the processing of the personal data (e.g. Article 6 of the GDPR), that data subjects are informed of the recipients of their data (Articles 13 & 14 of the GDPR), and that the transfer is covered by the DPF. Moreover, businesses must ensure compliance with the other GDPR requirements, such as purpose limitation, accuracy, and information obligations towards data subjects.
In respect of (3), when an EU-based entity transfers EU personal data to a processor in the US, the guidance states that they will be obliged to conclude a data processing agreement under Article 28 GDPR, even if the US-based processor is self-certified. This agreement is needed to ensure that the US processor commits to (amongst other items):
- process the personal data only on documented instructions from the controller;
- ensure that persons authorised to process the personal data have committed themselves to confidentiality;
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
- at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing; and
- make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.
In the event that a US-based processor engages a sub-processor to carry out specific processing activities, the processor must ensure that requirements under Section II.3.B of the DPF are fulfilled, such that the sub-processor must provide the same level of protection of personal data as required in the DPF.
EDPB FAQs for European Individuals
The EDPB’s FAQ paper for European individuals offers clarity on individuals’ rights and relevant complaint resolution under the DPF. The guidance affirms EU data protection rights in the context of the DPF, such as the right of access (Article 15 of the GDPR), right of rectification (Article 16 of the GDPR), and right to be forgotten (Article 17 of the GDPR).
It also sets out various options available to European individuals to make a complaint if they are concerned with the processing of their personal data by US companies. It encourages the individual to directly contact the relevant US company about their concern. Failing that, the individual can make a complaint with their EU-based national Data Protection Authority (DPA).
The guidance distinguishes between complaints which are: (1) handled by an “informal panel of DPAs“; and (2) referred to the US authorities.
In the case of (1), this will occur if an individual makes a complaint about the processing of their HR data or if the data importer under the DPF has voluntarily chosen the EU DPAs as its independent recourse mechanism.
In relation to (2), if a complaint does not concern HR data or the US-based entity has not committed to cooperate with EU DPAs, the “informal panel” will not be the competent authority to hear the complaint. In that case, national DPAs may refer a complaint to competent US authorities, such as the Federal Trade Commission or the US Department of Commerce.
The FAQ document also sets out the procedures for individuals to lodge a complaint, including via the template complaint form.
Conclusion
As the DPF turns one, the EDPB’s release of the two FAQ papers provides timely clarity to European businesses and individuals. It also remains clear that data exporters must comply with the relevant provisions of GDPR when transferring personal data to the US Crucially, they cannot rely on the DPF alone.
We welcome the DPF periodic review, which indicates that the key stakeholders of the DPF are committed to its long-term implementation and effectiveness.
We will continue to post updates on these legal developments to help your business break down key issues and navigate this evolving area of data protection law.
If you require further information on the issues raised or have any queries about data protection compliance, please contact Rachel Hayes or any member of the William Fry Technology Department.
Contributed by Jamie Mac Uiginn.