Adequacy decision for data transfers under a new Data Privacy Framework

At a time when a huge number of companies from the EU use various software solutions and services of both large technological giants and small startups registered in the USA for carrying out processing activities, and the same tech giants from the USA process large volumes of personal data in the EU countries , the legal issue of such processing operations is performing a transfer of personal data, collected on the territory of the EU, to companies from the USA. From July 10, 2023, a new opportunity is created for companies from the USA to carry out unhindered data transfer from the territory of the EU. About that new opportunity we will talk about in more detail in our article.

On July 10, 2023, the European Commission adopted a fateful decision, which recognized an adequate level of personal data protection for the transfer of data in the case of using the EU-U.S. Data Privacy Framework (next- DPF). What does this mean for US companies processing personal data in the EU and what impact can it have on your business?

If you are a company from the USA and you wish to process personal data freely (that is, without the implementation of additional safeguards provided for by Article 46 of the GDPR – for example, the famous Standard Contractual Clauses), then your company should make an effort to be included in the special list created by the US Department of Commerce (hereinafter – DoC). This list identifies which companies apply DPF and have  the right to unimpeded access to the data of individuals from the EU.

What is this Data Privacy Framework and what does it include?

The DPF is primarily a set of special requirements adopted by the US Department of Commerce that apply to residents of US states (only companies or organizations) that process personal data of individuals located in the EU.

The DPT includes requirements for residents of US states, which are aimed at ensuring an adequate level of protection of individuals` personal data, processed by US companies. These requirements include compliance with the principles of personal data processing (notice, choice, and others) adopted by the DoC, as well as special requirements for data protection and data transfer to third parties, company certification, etc.

So, if controller strives to transfer data for processing or jointly process data with a certain US company, then, for such controller, cooperation with companies (controllers, in particular joint controllers, or data operators) from the list created by the DoC, provides an opportunity for unhindered international data transfer, and also minimizes the risks of illegal disclosure, and therefore ensures increased data security. When entering into data transfer agreements, your Company as data controller will be able to require, via relevant provisions of agreements, a US company to be included in the mentioned list.

Then what are the requirements for US resident states to be included in this list?

The decision itself imposes the following requirements on the US companies and organizations:

1. to be subject to the intelligence and enforcement powers of the Federal Trade Commission (FTC), the US Department of Transportation (DOT) or other another statutory body (established by law) that will effectively ensure compliance with the principles of personal data processing adopted by the DoC;
2. publicly declare its commitment to comply with the personal data principles adopted by the DoC;
3. publicly disclose its privacy policy in accordance with the Privacy Policy adopted by the DoC;
4. full application of the personal data processing principles adopted by the DoC.

In order to get on this list, a US company must self-certify with the DoC. Also the DoC undertakes to compile a list of companies that have passed self-certification at the DoC and declared their commitment to the principles of personal data processing publicly open: anyone can check whether the company passed certification in the DoC.

What personal data processing principles must a US company comply with, in order to be on the list?

The following principles of personal data processing must be implemented by US companies:

• Notice: A US company must provide individuals with following information:

1. its participation in the list and provide a link to, or the web address for, the list;
2. the types of personal data that are collected, as well as about the third parties (recipients) or group of third parties (recipients) to whom this personal data is transferred and which also ensure these principles;
3. its commitment to subject to the principles of data processing, regarding all personal data received from the EU, relying on DPF;
4. purposes for which personal data is collected, used and transferred to third parties;
5. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints;
6. the right of individuals to access their personal data;
7. the choices and means the organization offers individuals to limit the use and disclosure of their personal data;
8. an independent dispute resolution body appointed to review complaints and provide appropriate free remedies to individuals; also information on the type of such body – whether it is: (1) a the panel established by DPAs, (2) an alternative dispute resolution provider (arbitration or arbitration, for example) based in the EU, or (3) an alternative dispute resolution provider based in the United States;
9. being subject to the investigatory and enforcement powers of the FTC, the DOT or any other US authorized statutory body;
10.  the possibility, under certain conditions, for the individual to invoke binding arbitration;
11.  liability of the company in case of further transfer to third parties.

• Choice: the company must offer the individuals a choice. It includes providing the individual with possibility of a refusal (right to opt-out) or consent to the (a) disclosure of the personal data to a third party or (b) the use of the personal data in a manner that is materially different from the purpose(s) for which it was originally collected. Individuals should be provided with clear, visible and easily accessible mechanisms for making choices.
• Accountability for onward transfers: first of all, as stated in the DPF itself, in order to transfer personal data to a third party acting as a controller, the company must comply with the requirements of the principles of Choice and Notice.  US companies must enter into an agreement with a third party acting as a controller, which stipulates that personal data can only be processed for limited and specific purposes in accordance with the consent given by the individual, and that the third party, acting as controller, provides at least this level of protection , which is required by these principles (adequate level of protection), and that such third party undertakes to notify the company about the absence of an adequate level of protection.

Also, this principle has certain features regarding the transfer of personal data to third parties, acting as agents, in particular, companies undertake:

(i) transfer such data only for limited and specified purposes, and ensure that the agent provides the same level of privacy protection as required by these principles and will be able to notify the company that transferred the data to the agent of the lack of an adequate level of protection (i.e., one that does not meet the requirements of these principles);

(ii) take reasonable and appropriate measures to ensure effective processing by the agent of the transferred personal data in a manner consistent with the company’s obligations and in a manner consistent with these principles;

(iii) upon notification by the agent that an adequate level of protection is lacking, take reasonable and appropriate steps to stop and correct the unauthorized processing and provide to the DoC, upon request, a summary or representative copy of the relevant privacy provisions contained in its agreement with the agent.

• Security: companies that create, store, use or distribute personal information must take reasonable and appropriate measures to protect it against loss, misuse and unauthorized access, disclosure, alteration and destruction of the data, taking into account the risks associated with the processing , and the nature of personal data.
• Data integrity and purpose limitations: it is prohibited to process the data in a way that is incompatible with the original purpose (in the absence of the consent of the natural person for such a new purpose).
• Accessibility: individuals should have access to the personal information about them that the company holds and the ability to correct, change or delete that information if it is inaccurate.
• Resource, enforcement and liability: effective privacy protections must include robust mechanisms to ensure compliance with these principles, remedies for individuals affected by non-compliance with these principles, and consequences for the organization when these principles are not followed. As a minimum threshold for compliance with this principle, companies must implement the following mechanisms:

1. easily accessible independent recourse mechanisms, by which complaints and disputes of each person are promptly resolved at no cost to the complainant, as well as a mechanism for compensation of damages, if this is provided for by applicable law;
2. procedure of verification of the fact that the Company’s data protection practices remain in compliance  with their internal documents (in particular, the policies);
3. obligation to remedy the problems arising from non-compliance with these principles, as well as the consequences of non-compliance for companies.

An interesting innovation of the data protection framework is the obligation of companies to consider claims in arbitration, provided that the individual has applied for binding arbitration by sending a notice to the relevant company and following the procedures and conditions set out in the arbitration agreement (Appendix I of the DPF).

How can a US-resident company get on the list?

For initial self-certification (or re-certification after a period of time), to be placed in the list, a company must provide the DoC with a submission that must approve company`s adherence to the mentioned principles and that includes at least the following information:

• the name of the certified (or recertified) US company, as well as the names of any of its US affiliates or US subsidiaries that also comply with the principles of personal data processing;
• a description of the company’s activities regarding personal data that will be received from the EU under the DPF;
• a description of the relevant privacy policy of the company;
• contact details for handling complaints, access requests and any other issues arising under the mentioned principles, including

1. name, position, e-mail address and telephone number of the responsible person in the Company; and

2. the corresponding postal address of the company in the USA;

• a specific statutory body that has jurisdiction to consider any claims against the company regarding possible unfair or deceptive practices and violations of laws or regulations governing data privacy;
• the name of any data privacy protection program in which the organization is a participant;
• verification method (either self-assessment or external compliance checks, including third-party checks);
• relevant independent recourse mechanism, available to investigate unresolved complaints from individuals.

Also, after placing the company into the list, it also needs to conduct appropriate verification in the future, in detail, it covers further procedures for checking the compliance of data processing activities with privacy practices described in internal documents (including policies), which can be accessed to the persons whose data is collected and processed by the company, and to regulators (on request). The company can carry out such verification either through a self-assessment or through an external compliance check.

Conclusion

In conclusion, the decision of the European Commission will simplify the transfer of personal data of EU residents to companies that are residents of the United States, since the transfer of data will be carried out without obstacles, in detail transfer of  data can be conducted without the need to conclude additional contracts and (and) the need to wait for the implementation of appropriate data protection measures by companies from the United States (since a appropriate level protection will already be implemented). As a result, the data transfer procedure between European controllers and relevant US companies, included in the list, will be accelerated, since such companies included in the list, during certification confirm an adequate level of protection, and not only undertake to create such a level of protection.