Navigating US Data Transfer Mechanisms
Navigating US Data Transfer Mechanisms
Anne Sophie Dil
Co-founder of NAALA
Published on 22 March, 2023
By: Anne Sophie Dil – Co-founder of NAALA
Published on 22 March, 2023
Is your company struggling to navigate the complex landscape of personal data transfers between the EU and the US, especially in light of recent developments such as the invalidation of the Safe Harbor agreement and the Privacy Shield? With a new draft adequacy decision currently in design, it can be challenging to stay up-to-date on the latest transfer mechanisms and compliance requirements. This blog post will provide you with an update on the current state of play and the available transfer mechanisms, including the new EU-US Privacy Shield replacement and other supplementary measures. Keep reading to discover how to safely and legally transfer personal data from the EU to the US.
The General Data Protection Regulation (GDPR) regulates the processing of personal data within the European Union and the transfer of such data to countries outside the EU. The GDPR applies to all companies that process personal data of individuals located in the EU, regardless of where the company is based.
One of the key principles of the GDPR is that personal data can only be transferred to countries outside the EU if that country provides an adequate level of data protection. The GDPR provides several mechanisms for such transfers, including standard contractual clauses (SCCs), binding corporate rules (BCRs), and derogations for specific situations.
However, in 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor agreement, which had allowed for the transfer of personal data between the EU and the United States (US). The CJEU ruled that the US did not provide an adequate level of data protection, particularly with regard to US surveillance programs that allowed for the bulk collection of personal data.
In response to the CJEU’s ruling, the European Commission negotiated a new agreement with the US called the Privacy Shield. The Privacy Shield was designed to address the deficiencies identified by the CJEU and provided a framework for companies to transfer personal data between the EU and the US.
However, in 2020, the CJEU again invalidated the Privacy Shield, citing concerns about US surveillance programs and the lack of legal remedies for EU citizens whose data was accessed by US authorities. This decision left companies unsure about how to transfer personal data from the EU to the US.
Currently, companies can still use SCCs and BCRs to transfer personal data to the US, but they must conduct a risk assessment to determine if the transfer meets the GDPR’s requirements for an adequate level of data protection. A risk assessment can, for example, be performed using a Transfer Impact Assessment. The European Data Protection Board (EDPB) has also issued guidance to help companies ensure compliance with the GDPR when transferring personal data to the US.
Overall, the situation regarding the transfer of personal data from the EU to the US is complex and evolving. Currently pending is a draft adequacy decision for personal data exchange between the EU and US, made by the European Commission concerning the EU-US Data Privacy Framework (DPF) which will replace the invalidated Privacy Shield.
The draft adequacy decision is an important development in the ongoing efforts to ensure adequate protection of personal data when it is transferred from the EU to the US. The European Commission has proposed this decision, which, if adopted, would formally recognize the adequacy of US data protection laws, allowing for personal data to be transferred from the EU to the US without the need for additional safeguards, such as SCCs or BCRs.
The draft adequacy decision is based on an assessment of US data protection laws and practices, as well as feedback received from stakeholders. The adequacy decision notes that the US has made significant improvements in its data protection regime since the invalidation of the Privacy Shield, including the passage of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, the California Consumer Privacy Act (CCPA), and the recently enacted California Privacy Rights Act (CPRA).
However, it is important to note that the draft adequacy decision is not final and is subject to review and approval by the European Parliament and Council. There are also concerns about the potential impact of recent US surveillance laws, such as the USA FREEDOM Act and the FISA Amendments Act, on the adequacy decision. Therefore, it remains to be seen whether the adequacy decision will be adopted and how it will be implemented in practice.
Summary of EDPB 05/2023 opinion
The European Data Protection Board (EDPB) has expressed its views on the draft adequacy decision. The EDPB welcomes some improvements made to the DPF Principles and the redress mechanism for EU data subjects. However, it has concerns about certain aspects, including certain rights of data subjects, onward transfers, temporary bulk collection of data, and the practical functioning of the redress mechanism. The EDPB recommends that the adoption of the decision should be conditional upon the adoption of updated policies and procedures by all US intelligence agencies to implement Executive Order 14086. The EDPB also asks for clarifications on several points related to U.S. public authorities’ access and use of data. The EDPB stresses that the level of protection must not be undermined by onward transfers and that close monitoring is necessary to ensure that the newly introduced principles of necessity and proportionality are practically applied.
Please find the EDPB 5/2023 opinion on draft EU – US Data Privacy Framework here.
Transfer mechanisms refer to the ways in which personal data can be legally transferred from the European Economic Area (EEA) to countries outside the EEA, which includes all countries in the European Union plus Iceland, Liechtenstein, and Norway.
Under the General Data Protection Regulation (GDPR), transfers of personal data to countries outside the EEA are restricted, as the GDPR seeks to protect the privacy and data rights of European citizens. However, there are several transfer mechanisms that allow such transfers to take place, provided that certain conditions are met.
The GDPR recognizes several transfer mechanisms, including:
- Adequacy Decisions: These are decisions by the European Commission that determine that a non-EEA country, a territory, or a specific sector within a country provides an adequate level of data protection that is essentially equivalent to that in the EEA. Personal data can be transferred to these countries without additional safeguards being necessary.
- Standard Contractual Clauses (SCCs): These are standardized contractual clauses that can be added to agreements between data exporters and importers to ensure that personal data is protected in accordance with GDPR standards. SCCs provide a legal framework for the transfer of data to non-EEA countries, and the European Commission has issued several sets of SCCs that can be used for different types of data transfers.
- Binding Corporate Rules (BCRs): These are internal rules that govern the transfer of personal data within a multinational company or group of companies. BCRs must be approved by a data protection authority and provide a legally binding framework for transfers of personal data.
- Codes of Conduct and Certification: These are voluntary mechanisms that organizations can use to demonstrate compliance with GDPR standards for international data transfers. A code of conduct is a set of rules that organizations in a particular industry or sector can agree to follow, while certification involves a third-party certification body verifying that an organization meets GDPR standards for data protection.
The EU-US Privacy Shield was a framework that allowed companies to transfer personal data from the European Union (EU) to the United States (US) while complying with the General Data Protection Regulation (GDPR). The Privacy Shield was put in place after its predecessor, the Safe Harbor Framework, was invalidated by the Court of Justice of the European Union (CJEU) in 2015.
However, in July 2020, the CJEU invalidated the EU-US Privacy Shield in the Schrems II ruling. The court found that the framework did not adequately protect the privacy rights of EU citizens when their personal data was transferred to the US, particularly in relation to US government surveillance practices. The court also ruled that the standard contractual clauses (SCCs), another transfer mechanism under the GDPR, remain valid but require companies to assess the level of protection offered by the recipient country and, if necessary, provide additional safeguards to ensure that the transfer complies with GDPR requirements.
As a result of the Schrems II ruling, companies that relied on the Privacy Shield for transferring personal data between the EU and the US had to switch to another transfer mechanism or provide additional safeguards to comply with GDPR requirements.
Following the invalidation of the Privacy Shield framework by the CJEU, transfers of personal data from the EEA to the US should be based on one of the other transfer mechanisms listed in Chapter V of the GDPR, such as:
- Standard Contractual Clauses (SCCs): These are pre-approved contract templates issued by the European Commission that contain standard data protection clauses. SCCs can be used for transfers between data controllers or between a data controller and a data processor.
- Binding Corporate Rules (BCRs): These are internal codes of conduct that ensure an adequate level of protection for personal data transferred within a multinational organization. BCRs must be approved by the relevant supervisory authority.
- Derogations: In certain exceptional circumstances, transfers of personal data to third countries may be allowed without the need for specific transfer mechanisms. However, derogations should be interpreted narrowly and used only when no other transfer mechanism is available.
It is important to note that the use of SCCs and BCRs requires an assessment of the adequacy of the level of data protection in the recipient country. If the recipient country does not provide an adequate level of protection, additional safeguards may need to be put in place to ensure an adequate level of protection for personal data.
A Draft Adequacy Decision, published by the European Commission on 13 December 2022, is based on the EU-U.S. Data Privacy Framework (DPF) – meant to replace the Privacy Shield invalidated by the CJEU in the Schrems II judgment. The key component of the DPF is the EU-US Data Privacy Framework Principles, which were issued by the U.S. Department of Commerce. The DPF is only applicable to U.S. organisations which have self-certified. The EDPB has now adopted its Opinion on the Draft Decision, which considers both the commercial aspects and U.S. public authorities’ access and use of data.
The EDPB had already issued guidance on other pass-through mechanisms:
- EDPB Guidelines 7/2022 on certification as a tool for transfers:
These guidelines aim to provide practical guidance on how to use certification mechanisms as a tool for ensuring the transfer of personal data outside the EU and EEA complies with the GDPR.
The EDPB Guidelines 07/2022 explain that certification mechanisms can provide organizations with a way to demonstrate that they comply with the GDPR and are able to ensure an adequate level of data protection when transferring personal data outside of the EU and EEA. Certification can be an effective tool for demonstrating compliance with GDPR, which can help organizations build trust with data subjects and other stakeholders.
The guidelines also highlight that certification mechanisms are not mandatory and are just one of the many tools that organizations can use to comply with GDPR requirements when transferring personal data outside the EU and EEA. Moreover, the guidelines emphasize that the certification does not provide a “blanket” authorization for transfers and that organizations must still consider the specific circumstances of each transfer.
Overall, the EDPB Guidelines 07/2022 provide a useful resource for organizations looking to use certification mechanisms to ensure compliance with GDPR requirements when transferring personal data outside the EU and EEA.
- EDPB Guidelines 4/2021 on Codes of Conduct as tools for transfers:
The guidelines provide guidance on how Codes of Conduct can be used as a tool for facilitating transfers of personal data to third countries under the GDPR. A Code of Conduct is a voluntary set of rules, binding on its signatories, that sets out how they will process personal data. The guidelines state that Codes of Conduct can provide additional safeguards for data subjects when personal data is transferred to a third country.
The guidelines outline the requirements for Codes of Conduct under the GDPR, including the need for a clear and precise scope, a legal basis for the Code, and a system for monitoring compliance with the Code. The guidelines also provide recommendations on the content of a Code of Conduct, such as transparency, accountability, and data minimization.
In order to use a Code of Conduct as a transfer mechanism, the guidelines state that the Code must be approved by a supervisory authority or the EDPB. The guidelines also provide guidance on the approval process for Codes of Conduct.
Finally, the guidelines note that Codes of Conduct should be used in conjunction with other transfer mechanisms, such as SCCs or BCRs, to provide the necessary safeguards for transfers of personal data to third countries.
Questions? We are happy to discuss your specific case.
Following unsure times in the international data transfer area (which is pretty much affecting all digital users on a daily basis), we finally have guidance with the publishing of the final version of the new Standard Contractual Clauses (“SCCs”) by the European Commission (“EC”).
The other side of the world is becoming more accessible. Data is flowing from one continent to another. This brings tremendous opportunities, but also raises questions. How should you, as an organization, deal with such data? Which laws are important for this?
The 1975 Medical Device Amendments to the Food, Drug and Cosmetic Act (FD&C Act), established rules and standards for safety and effectiveness safeguards applicable to all US medical device manufacturers. The FD&C Act already gave the Food and Drug Administration (FDA) a mandate to establish requirement, but no provision was made for reviewing safety and effectiveness. How do you place a medical device on the US market?
Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.