knowledge 14 August 2024 |

EU-U.S. Data Privacy Framework: EDPB publishes FAQs

DPF Overview:

The DPF is a self-certification mechanism whereby U.S. companies certify that they comply with key principles, rules and obligations in relation to their processing of personal data of EEA individuals.  Companies renew their certification annually.  Companies that have not renewed their certification must continue to abide by the DPF principles for as long as they continue to retain any relevant personal data.

While there were previous iterations of mechanisms to allow for EU-U.S. data flows, following a review of the DPF, the European Commission produced an adequacy decision on 10 July 2023 which allows for the free flow of personal data from an EEA exporter to U.S. certified companies, without the need to put in place further safeguards or to obtain authorisation.  For a more detailed analysis on the DPF and its background, please see our previous briefing here.

The DPF applies to any type of personal data as long as the recipient company in the U.S. is certified to receive that personal data.  For example, only certain companies are certified to receive certain types of special category personal data, such as health data.

In order to be eligible to self-certify, a company in the U.S. must be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”) or the U.S. Department of Transportation (“DoT”).  Therefore, businesses operating in certain industries such as banking or insurance do not have the option to self-certify under the DPF and must transfer personal data under a different mechanism available under the GDPR (such as BCRs or SCCs, as set out in Chapter V of the GDPR).

European Businesses:

The FAQ for European Businesses (available here) provides guidance to businesses on what the DPF is, which U.S. companies are eligible and how European businesses should manage interactions with such companies. 

Double-Check Certification:

Before engaging with any U.S. company claiming to be self-certified under DPF, an EEA data exporter must verify that the U.S. company holds an active self-certification and that the certification covers the personal data in question.  When dealing with a subsidiary of a self-certified U.S. company, this includes checking that the subsidiary is covered by the certification of the parent company.

Where the U.S. Company is the Controller:

Before transferring personal data to a controller in the U.S., the EEA data exporter must ensure that the transfer complies with all other relevant provisions of the GDPR.  This includes:

(i) Identifying a valid legal basis for the data transfer;

(ii) Complying with the general requirements of purpose limitation, proportionality, accuracy and providing certain information to data subjects; and

(iii) Providing data subjects with sufficient information regarding the recipients of their data and that the data is being transferred on the basis of the DPF adequacy decision.

Where the U.S. Company is the Processor:

Where an EEA based controller is transferring data to a self-certified processor in the U.S., there is still the requirement to enter into a data processing agreement (“DPA”).  All relevant Article 28 rights and obligations must be reflected in the DPA, including, for example, that the U.S. processor will:

(i) only process the personal data on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation;

(ii) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in line with what is required by Article 32 and sections 4 and 10 of the DPF; and

(iii) assist the controller in ensuring compliance with its obligations pursuant to Article 32-36 GDPR, taking into account the nature of the processing and the information available to the processor.

If the U.S. processor engages a sub-processor to carry out processing activities on behalf of the EEA controller, the processor must ensure that the requirements under Section II.3.B DPF are fulfilled.  Section II.3.B requires that sub-processors provide the same level of protection of personal data as is required by the DPF and that the same data protection obligations apply as those set out in the DPA.  If a sub-processor fails to fulfil its data protection obligations, the initial U.S. processor is fully liable to the controller for the performance of the sub-processor’s obligations.

European Individuals

How do Individuals benefit from the DPF?

The DPF grants individuals certain rights when their personal data have been transferred from the EEA to a company in the U.S. that has self-certified under the DPF.  Individuals have the right to be informed of such a transfer, its purpose and to obtain access to their personal data, and correct or delete any incorrect or unlawfully handled data. 

Lodging a Complaint and Complaint Handling:

If an individual has concerns regarding the processing of his or her personal data, the FAQ, available here, recommends that they contact the self-certified company directly as a first step.  The DPF list (here) provides information about the complaint procedure and independent recourse mechanism for each self-certified company.  If an individual’s concern is not adequately addressed by the company, it is suggested that they contact the national data protection authority of the country where they reside or work, or from where their personal data have been transferred to the U.S.  In Ireland, the national data protection authority is the Data Protection Commission.

National Data Protection Authorities’ Complaint Handling:

When an EEA data protection authority receives a complaint in relation to the DPF, it may:

1. Set up an Informal Panel of Data Protection Authorities:  Where a complaint relates to HR data, or where the U.S. company has voluntarily chosen the EU Data Protection Authorities as its independent recourse mechanism, an informal panel of several EU Data Protection Authorities will be established to handle the complaint.  The panel will open an investigation to hear from the data subject and the company involved.  If necessary to resolve the complaint, the panel can issue binding advice on the U.S. company.
2. Refer the Complaint to U.S. Authorities: If a data subject’s complaint does not concern HR data, or where the U.S. company has not committed to cooperate with the EU Data Protection Authorities, the data subject’s national Data Protection Authority may refer the complaint to the competent U.S. authority, such as the FTC or the DoT.

The Data Protection Authority which regulates the EEA data exporter may also directly exercise its powers (such as prohibiting or suspending data transfers) towards the data exporter.

Comment:

On 9 August 2024, the European Commission put out a call for evidence on how the framework is functioning.  Pursuant to Article 3(4) of the adequacy decision, the first review shall take place one year after its entry into force in order to verify whether all its relevant elements have been fully implemented and are functioning effectively in practice.  The call for evidence is open from 9 August to 6 September 2024. Please find more information here.