Data Privacy Newsletter – All About The Data Privacy Framework : June 2024

Data Transfers between the European Union and the United States of America

One of the objectives of the General Data Protection Regulation (“GDPR”) is to allow the free flow of personal data between the member states of the European Union (“EU”) and to countries outside the EU. In this newsletter, we will discuss the evolved data transfer mechanisms between the EU and the United States of America (“US”).

International Data Transfers Mechanisms under the GDPR

In today’s increasingly interconnected and digitally borderless world, compliance with GDPR requirements for personal data transfers to third countries poses a significant challenge for organisations. According to the GDPR, transfers to countries outside the EU may only take place subject to the following:

• Adequacy Decisions: An Adequacy Decision is when the European Commission (“EC”) determines through a formal decision that a third country ensures an adequate level of protection for personal data that is comparable to the level of protection that of the European Union. Fifteen (15) countries have been recognised by the EC to provide an adequate level of protection for personal data.
• Appropriate Safeguards: For data transfers to countries that do not meet Adequacy Decisions, organisations can execute Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCR/s”) and commit to the appropriate safeguards mentioned therein.
• Derogations: In the absence of the above mechanisms, an international data transfer may take place through one of the derogations, which are relied on only as a last resort.

Evolving Data Transfer Landscape Between the European Union and the United States of America

• Safe Harbour Framework: In the year 2000, the EC issued an adequacy decision to the Safe Harbour Framework, developed by the EC with the US Department of Commerce (“DOC”). The Framework has faced several challenges, including participants not performing annual compliance checks, lack of active enforcement by the US Federal Trade Commission (“FTC”) and disclosures about mass surveillance operations carried out by the US National Security Agency, ultimately leading to its suspension. On October 6, 2015, the Court of Justice of the European Union (“CJEU”) issued a judgment declaring the framework invalid.
• Privacy Shield Framework: On July 12, 2016, the EC issued an adequacy decision to the Privacy Shield Framework, designed by the US DOC along with the EC, to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US.

The Framework faced legal challenges and on July 16, 2020, the CJEU issued a judgment declaring the EC’s decision on the adequacy of the protection provided by the Privacy Shield Framework to be “invalid”.

• Data Privacy Framework: The Data Privacy Framework was developed by the US DOC and the EC to provide US-based organizations with reliable mechanisms for personal data transfers to the US from the EU while ensuring data protection that is consistent with EU data protection laws.

The Data Privacy Framework (“DPF”)

With the adequacy decision for the DPF, the organisations based in the EU will be able to transfer personal data to participating companies in the US, without having to implement the SCCs or the BCRs (appropriate safeguards). The DPF is also popularly known as the Trans-Atlantic Data Privacy Framework or the EU-US Data Privacy Framework. The DPF has extensions to the United Kingdom and Switzerland.

The DPF was developed with the intent of addressing the concerns associated with the risk of surveillance by US intelligence agencies, and the lack of judicial redress for EU residents.

The DPF provides EU individuals (whose data would be transferred) to the US with several new rights and offers different redressal mechanisms before independent dispute resolution mechanisms and an arbitration panel in case their personal data is inappropriately handled by US-based organisations.

The US-based organisations can certify their participation in the DPF by committing to comply with a detailed set of privacy obligations. This includes compliance with privacy principles as detailed below. 

The Data Privacy Framework Principles

The DPF has set out seven core principles of the DPF that organisations are mandatorily required to adhere to. There are as follows:

• Notice: Organisations transferring personal data must provide notice to individuals with certain details about individual rights, types of data collected, purposes for collection, contact information for inquiries and complaints, and disclosure of personal information to third parties and purposes, in clear language. 
• Choice: Individuals must be given the choice to opt out of disclosure of personal data to a third-party controller or to the use of their personal data for a different purpose than the reason for its collection. For sensitive information, data subjects must provide opt-in consent.
• Accountability for onward transfers: Organisations must comply with certain terms if they transfer personal data to a third party.
• Security: Those who collect or control personal data must take “reasonable and appropriate” measures to protect such personal data.  
• Data integrity and purpose limitation:  Organisations must only use and retain information for the purpose for which it has been collected.
• Access: Organisations must allow individuals to access their personal data, and must also allow them to correct, amend, or delete information deemed inaccurate.  
• Recourse, enforcement and liability: The DPF requires participants to provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual.

The DPF also requires self-certifying organisations to adhere to sixteen (16) additional supplemental principles when such an organisation specifically intends to transfer human resource personal data from the EU to the US.

DPF Certification Eligibility 

To qualify for the DPF Program, US organisations need to be subject to the jurisdiction of the Federal Trade Commission (FTC). Organisations can self-certify their compliance with the DPF principles through the new Data Privacy Framework Program website. Upon self-certification, the Framework is immediately applicable.

Organization’s Privacy Policy for DPF Self-certification

An organisation applying for self-certification under the DPF must provide the US DOC’s International Trade Administration (“ITA”) with a draft privacy policy. The privacy policy must be updated with the following changes:

1. Highlighting that organisational practices are consistent with the DPF Principles,
2. Provide a link to the DPF website to view the organisation’s certification,
3. Organisation’s self-certification extension to the United Kingdom and/or Switzerland, as applicable,
4. the independent recourse mechanisms available,
5. And other such requirements provided by the DPF self-certification.

Self-certification Costs under the DPF Program

To support the operation of the DPF program, the ITA requires all US-based organizations to pay an annual fee ITA in order to participate in the DPF program. The annual fee schedule for the DPF provides the annual fee for an organisation to maintain its certification. The annual fee is based on the participating organisation’s annual revenue and starts at USD 250.

Way Forward

The adequacy decision of the DPF is seen as an endorsement of the European Commission that the DPF meets the standards for adequate protection of personal data set by the EU GDPR. US-based organisations that meet the eligibility criterion or which were earlier complaint with the Privacy Shield Framework must take necessary steps to align their existing data privacy framework to meet the certification requirement of the DPF for smooth and valid trans-Atlantic data transfers.