The European Court of Justice’s July 16th 2020 Schrems II judgment had major implications for the use of US cloud services. Since that case, every US cloud service provider has been obliged to verify the data protection laws of the recipient country of data transfers, document its risk assessment, and confer with its customers.
The flow of data across borders is now a key component of global commerce, particularly commerce conducted between the European Union and the United States of America. Companies and organizations that engage in transatlantic data exchanges must comply with established regulatory standards to ensure the protection of personal data.
The introduction of the EU-US Data Privacy Framework on July 10th, 2023, marked a new phase in the regulation of such data transfers, replacing the previous Privacy Shield framework. Organizations involved in these international data flows should fully understand this new framework and the safeguards it entails.
The EU-US Data Privacy Framework
Established in order to facilitate the transfer of personal data from Europe to America, the EU-US Data Privacy Framework also ensures that the data protection requirements of the General Data Protection Regulation (GDPR) are upheld. This framework was created as a response to the invalidation of the Privacy Shield by the Court of Justice of the European Union in the aforementioned Schrems II case of 2020, which had raised concerns about the adequacy of US data protection measures.
In order to address these concerns, the new framework introduced several enhancements aimed at strengthening the protections offered to EU citizens’ data when it is transferred to the USA. These enhancements are intended to provide greater transparency, oversight, and legal recourse for individuals whose data is processed under the framework.
Key elements of the framework
The EU-US Data Privacy Framework builds upon the principles that had already existed under the Privacy Shield, but with additional safeguards and oversight mechanisms. The key elements include:
- Binding safeguards: The framework imposes binding obligations on American businesses that process personal data transferred from Europe. The data must be handled in accordance with GDPR requirements, including principles of data minimization, purpose limitation, and security.
- Redress mechanisms: EU citizens are now provided with multiple avenues for redress if they believe their data has been mishandled. Access to independent dispute resolution bodies and the possibility of invoking binding arbitration are included. The establishment of the Data Protection Review Court (DPRC) in the US, which will provide EU individuals with the ability to seek redress for violations of their data privacy rights, is a key feature.
- Oversight and monitoring: The framework establishes tough oversight structures to enforce compliance with its provisions. The US Department of Commerce monitors adherence to the framework’s requirements, and the Federal Trade Commission (FTC) enforces these obligations. Periodic reviews are conducted to evaluate the framework’s effectiveness and to ensure that it continues to meet the standards of data protection expected by the EU.
- Data access by public authorities: The framework deals with concerns regarding access to personal data by American authorities for national security purposes. A more stringent assessment of the necessity and proportionality of such access has been introduced and enhanced oversight and transparency measures are provided. The DPRC also has the authority to review complaints related to data access by those public authorities.
The safeguards imposed
Organizations wishing to benefit from the EU-US Data Privacy Framework are obligated to adhere to specific safeguards to ensure compliance. These safeguards are intended to protect the data rights of EU citizens while allowing for the legitimate transfer of data for business purposes.
- Self-certification: American companies self-certify their commitment to the framework’s principles by signing up to the Data Privacy Framework List. Managed by the US Department of Commerce, the list includes organizations that have pledged to adhere to the framework’s standards. More on the list below.
- Data protection principles: Participating organizations must implement a set of data protection principles that respect GDPR standards. Included in these principles are requirements to ensure that data is processed fairly and lawfully, that individuals are informed about the use of their data, and that data is not retained longer than necessary for its intended purpose.
- Accountability for onward transfers: When data is transferred from a participating American company to a third party, the framework demands that appropriate contractual safeguards are put in place to ensure that the data remains protected. This includes ensuring that the third party is also compliant with the data protection principles outlined in the framework.
- Data integrity and purpose limitation: The framework requires that personal data be relevant and limited only to what is strictly necessary for the purposes for which it is processed. Companies must guarantee that the data is accurate, up to date, and that it is used for the purposes for which it was originally collected.
- Security measures: Organizations must put appropriate security measures in place in order to protect personal data against unauthorized access, alteration, or disclosure. The measures have to be proportionate to the form of the data and the risks associated with its processing.
The Data Privacy Framework List
The Data Privacy Framework List serves as a public directory of American companies which are committed to the principles of the EU-US Data Privacy Framework. Inclusion on this list is required for any organization which seeks to receive personal data from the EU under the framework.
For data controllers in the EU, this list is a trusted resource when identifying US partners that meet the required data protection standards. Working with companies on this list permits data transfers that are in compliance with GDPR, therefore avoiding the legal complexities associated with non-compliant data transfers.
For US-based companies, being listed is not only a compliance requirement but equally a mark of credibility. It indicates a commitment to data protection and can improve business relationships with their EU-based partners by demonstrating adherence to high standards of privacy and security.
Legal and business implications
Respecting the EU-US Data Privacy Framework has legal and business implications for organizations. From a legal perspective, compliance with the framework is obligatory in order to avoid penalties under GDPR for unlawful data transfers. It also provides a mechanism for resolving disputes that can sometimes arise around data privacy issues.
From a business perspective, participating in the framework enables the seamless transfer of data across international borders. It also enhances trust with partners and customers in the European Union.
Failing to comply with the framework’s requirements can result in legal and reputational risks, including fines, sanctions, and the loss of business opportunities. It is in the interest of organizations which engage in transatlantic data transfers to understand and respect the framework’s provisions.
Image credit: Funtap, AdobeStock