Data is required for the successful operation of functions at the business. Data is shared with different service providers, vendors, and third parties. One of the basic ideas behind the enactment of privacy regulations is that the individual should always have control over his/her data. There is always a privacy risk when the data is shared with a third party. The risk extends when these third parties are located outside the country of the individual. Cross-border data transfer occurs when personal data is transferred across international borders. It may involve regulatory complexities due to data protection framework variations.
Regulators from different countries are making efforts to ensure that the individual always has an appropriate level of control over his/her data. In a scenario where data is being shared outside the country, GDPR has incorporated different mechanisms to ensure that the risk involved in cross-border data transfer is mitigated. One such mechanism is to identify the particular country as an ‘Adequate Country’ for such data transfer, which implies that a certain country has appropriate regulations in place to ensure that such data transfer is safe and the rights of individuals in relation to their data have always remained protected.
The concept of data transfers on the basis of an adequacy decision, as incorporated under Art 45 of GDPR, provides that a transfer of personal data to a third country may take place where the European Commission has declared that the third country ensures an adequate level of data protection. Such a transfer of data shall not require any specific authorization.
European Commission adequacy decision for the USA
On 10 July, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The adequacy decision declares that the United States ensures an adequate level of protection compared to that of the EU for the transfer of personal data from the EU to US companies, complying with the EU-U.S. Data Privacy Framework.
EU-U.S. Data Privacy Framework/DPF
Based on the new adequacy decision, personal data of EU residents can be moved from the EU to the companies based in the US and participating in the framework.
Participation in DPF is voluntary, it is not mandatory. US companies can use alternative EU data transfer mechanisms to transfer personal data from the EU, such as EU standard contractual clauses (SCCs) with the EU data exporter, if they do not wish to participate in DPF.
Core Principles
- Notice:
- Organizations are required to publish a privacy notice that contains a number of specific details related to rights and obligations under DPF.
- Choice:
- Organisations are required to provide a mechanism to the individuals to make certain choices regarding the processing of their personal data
- Accountability for Onward Transfers:
- Participating companies must comply with certain procedures and impose certain contractual terms when transferring personal data received under DPF to a third party.
- Security:
- Organizations are required to take reasonable and appropriate measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction of the personal information.
- Data Integrity and Purpose Limitation:
- The participating company needs to use and retain the personal information only for the purposes collected or subsequently authorized by the individual.
- Access:
- The participating company needs to allow individuals to access their personal data. DPF also requires allowing individuals to correct, amend, or delete information.
- Recourse, Enforcement, and Liability:
- The participating company must implement robust recourse mechanisms, cooperate with authorities, and arbitrate claims in accordance with DPF.
Applicability - Companies eligible to participate in DPF.
To participate in DPF, the company must be subject to the enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation (DOT).
Advantages of joining the framework
The DPF has clear guidelines on compliance requirements. Controllers are not required to obtain authorization before agreeing to share data with the entity based in the US.
The DPF offers a few advantages over SCCs, such as ease of use, contracting language, and execution. The European businesses may prefer engaging with DPF-certified US companies to demonstrate enhanced protection of transferred personal data vis-à-vis their customers and local authorities. However, DPF also imposes significant ongoing compliance obligations on participating companies, as listed in the sections below.
Compliance requirement under EU-U.S. DPF
The Data Privacy Framework (DPF) is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce. It enables U.S.-based organizations to self-certify to the ITA via the Department's DPF program website (https://www.dataprivacyframework.gov/) and publicly commit to comply with the DPF Principles. The ITA maintains the list of participating organizations complying with the Data Privacy Framework on the basis of annual re-certification submissions made by them. ITA updates the list by removing organizations when they fail to complete the annual re-certification in accordance with the ITA's procedures, voluntarily withdraw, or are found to persistently fail to comply. Such a list will be maintained and made available to the public along with the reason for such removal.
Organizations willing to join DPF are required to include a declaration of the commitment to comply with the DPF Principles in their privacy policy. They are also required to include a link to the U.S. Department of Commerce’s DPF program for the complaint submission form of the Independent Recourse Mechanisms that will be available to support the individuals for the complaints brought under the DPF Principles.
Organisations are required to respond to any complaint brought by the individual within 45 days. An Independent Recourse Mechanism should be provided for complaint resolution mechanism without any cost.
Status of EU-U.S. Privacy Shield
The EU-U.S. Privacy Shield was invalidated on 16 July 2020 by the European Court of Justice in the Schrems II case. Organization which has self-certified its compliance pursuant to the EU-US Privacy Shield in the past are now required to comply with the EU-U.S. DPF Principles to enjoy the benefits of the EU-U.S. DPF as a mechanism for cross-border data transfer. Organizations can also follow other mechanisms provided under GDPR as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCRs).
As the industry best practices, organisations should review the nature of processing activity, data and individuals whose data is being collected and processed and appropriate mechanisms should be implemented to transfer the data. Where an organization is complying with EU US DPF Rule, it should update privacy notices and should adhere to these principles.
Riskpro has helped large, reputed, and mid-size companies, along with many startups and small-size companies achieve compliance from scratch with competitive pricing. To know more contact us at info@riskpro.in
Author
Om Prakash Singh
Assistant Manager – IT Risk Advisory
Riskpro India
Source -
EU-US data transfers: https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752
EU GDPR: https://gdpr-info.eu/art-45-gdpr/
EU-U.S. Data Privacy Framework: https://www.dataprivacyframework.gov/
Key Requirements for DPF Program Participating Organizations: https://www.dataprivacyframework.gov/key-requirements
EU-U.S. Privacy Shield: https://ico.org.uk/make-a-complaint/eu-us-privacy-shield/
Schrems II case: