US Companies are expected to receive certification of compliance with the new EU-US Data Privacy Framework (DPF) from the US Department of Commerce in order to fall under the Adequacy Decision for free data flows.
On 10th of July the European Commission adopted its Adequacy Decision for the EU-U.S. Data Privacy Framework that entered into force with its adoption.
The Adequacy Decision followed Schrems II judgment of C-311/18 of 16/07/2020 that ruled the EU-US Privacy Shield invalid, and US’ signing an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which introduced new binding safeguards to address the points raised by Court of Justice of the European Union. In a nutshell those safeguards include the following:
- data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate;
- enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities and an independent and
- impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes established).
This Adequacy Decision that allows the free transfer of data between EU and US bodies, is confined solely to those US companies participating in the EU-U.S. Data Privacy Framework (DPF); Participation to this framework is subject to certification from Department of Commerce (DoC). Certification should be renewed annually. Free transfer means without having to put in place additional data protection safeguards (SCCs, BCBs and the conduct of a TPIA etc), but to the execution of a DPA where necessary under articles 26 or 28 of the GDPR
So European entities will be able to transfer personal data with equivalent level of protection with the GDPR ONLY to those companies that have been certified by DoC as being eligible to participate in DPF. DoC will publish a DPF list with the US bodies that have been certified.
The criteria under which US companies are audited to receive certification are laid down in the Data Privacy Framework Principles issued by the U.S. DoC and are included in Annex I of the Adequacy Decision[1]
In a nutshell, the Principles define personal data, processing, controllers and processors with terms similar to GDPR and introduce the basic pillars of compliance obligations of entities regarding the protection of personal data; indicatively the following Principles of EU-US DPF are stipulated:
- Data Integrity and Purpose Limitation Principle, similarly as under Article 5(1)(b) of Regulation (EU) 2016/679;
- Choice Principle[2] (e.g. the entity must provide data subjects with the opportunity to object/opt-out) and its exceptions;
- Processing of special categories of personal data – specific safeguards apply to the processing of personal data that have the capacity of “special categories of data) according to GDPR such as explicit consent or the other exceptions of article 9 par. 2 of GDPR;
- Data accuracy, minimization and security – in line with the Principles (similarly with GDPR) personal data should be accurate and, kept up to date (when necessary), adequate, relevant and not excessive in relation to the purposes for which it is processed, and in principle be kept for limited time period;
- Notice Principle -Transparency obligations (i.e. the obligation of entities to inform data subjects on the participation of the entity in the DPF and the collection and processing of their personal data);
- Access Principle that is relevant to individual rights – data subjects should have the right to access (i.e. obtain from an organization confirmation of whether or not the organization is processing personal data relating to them; have communicated to them such data so that they could verify its accuracy and the lawfulness of the processing; and have the data corrected, amended or deleted where it is inaccurate or processed in violation of the Principles) that they can be enforced against the entities. Additionally, data subjects have the right to be informed of the specific reasons that led to the decision, to dispute incomplete or inaccurate information, and to seek redress;
- Accountability for Onward Transfer Principle[3] – Restrictions on onward transfers- the same level of protection of personal data should be provided for further transfers of such data to a recipient in the United States or another third country;
- Accountability- obligation of entities to adopt appropriate technical and organisational measures to comply with their data protection obligations and to be able to demonstrate compliance with the DPF;
- Administration, oversight and enforcement– the Department of Commerce (DoC) will administrate and monitor the EU-U.S. DPF;
- (Re-)certification– the publication of declaration of entities regarding their assurance to comply with the Principles and their privacy policies and their implementation in conjunction with being placed in the DPF list by the DoC are the prerequisites of the certification of entities (starting from the date of the placement on the DPF list by the DoC); certification needs to be re-evaluated on an annual basis;
- Identifying and addressing false claims of participation/Enforcement – DoC, has been introduced as the responsible organisation in order to perpetually monitor the effective compliance with the Principles by EU-U.S. DPF entities by adopting various mechanisms. The same organisation shall monitor any false claims of EU-U.S. DPF candidate participants. EU-U.S. DPF entities need to be subject to the jurisdiction of the competent U.S. authorities – the FTC and DoT – which have the necessary investigatory and enforcement powers to effectively ensure compliance with the Principles;
- Recourse, Enforcement and Liability Principle– EU-U.S. DPF organisations must be subject to the jurisdiction of the competent U.S. authorities – the FTC and DoT – which have the necessary investigatory and enforcement powers to effectively ensure compliance with the Principles. The EU-U.S. DPF imposes entities to provide recourse for data subjects who are affected by non-compliance and thus the possibility for Union data subjects to lodge complaints regarding non-compliance by EU-U.S. DPF entities and to have these complaints resolved, if necessary by a decision providing an effective remedy.
Additionally, there have been precluded terms regarding access and use of personal data transferred from the European Union to the US by public authorities.
The Adequacy Decision is not permanent; it depends on the results of the monitoring of the Decision or provided by U.S. or Member States’ authorities; in case the level of protection afforded to data transferred under this Decision may no longer be adequate, the Commission should inform the competent U.S. authorities thereof without delay and request that appropriate measures are taken within a definite and realistic timeframe.
More details regarding the adequacy decision can be found here; the Data Protection Framework list can be found here after the completion of the website and the introduction of the organizations/entities that complete the said prerequisites.
[1] Annex I,art 12. A: “The purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual’s expectations and choices”. With the exception of data that is collected for publication, broadcast or other forms of public communication of journalistic material and information in previously published material disseminated from media archives, Annex I, Section III.2.
[2] Annex I, Section II.2.a.and b
[3] See Annex I, Section II.3 and Supplemental Principle ‘Obligatory contracts for Onward Transfers’ (Annex I, Section III.10).