Sharing personal data across borders is critical for organizations operating and doing business internationally. Doing so in compliance with data security and privacy laws, however, can be a complex and challenging exercise due to the differing protections and transfer mechanisms across jurisdictions and countries. Thanks to recent developments between the United States, European Union and United Kingdom, U.S. companies once again have an easier pathway to share and receive data from their business partners and related entities in the EU and U.K.
History of Data Transfers
Data transfers to the United States are especially difficult when coming from the EU and U.K, which are governed by the General Data Protection Regulation (GDPR) and U.K. GDPR, respectively. The GDPR imposes obligations onto organizations that target or collect personal data related to individuals in the EU regardless of where the organization is located. The transfer of personal data to organizations outside of the EU are only permitted where the European Commission has determined that the “third country” in which the organization is located can ensure an adequate level of protection to safeguard personal data, also known as “adequacy.” The U.K. GDPR has similar cross-border restrictions to countries lacking adequacy.
When making an adequacy determination, the commission assesses the third country’s laws and practices regarding personal data. The commission has granted adequacy for just over a dozen jurisdictions due to the GDPR’s strict threshold for data security protections. The U.S. is not adequate under the GDPR or U.K. GDPR because it does not have any comprehensive personal data privacy laws at the federal level. Two prior frameworks designed to create a trans-Atlantic data transfer framework, the U.S.-EU Safe Harbor and EU-U.S. Privacy Shield, were both struck down by the Court of Justice of the European Union (CJEU) as invalid.
In the absence of the a data-transfer framework, companies in the EU and U.S. that sought to share personal data, even among related entities of the same parent company, were left to undergo the burdensome task of (1) completing a transfer-impact assessment to evaluate whether protections for individuals under the GDPR would be undermined by the laws and practices of the third country; and (2) implementing a transfer mechanism, such as standard contractual clauses or binding corporate rules as delegated by the GDPR. Performing an assessment of a third country’s surveillance laws and practices, for example, is a taxing exercise, and the GDPR’s standard contractual clauses and binding corporate rules are rigid. The U.K.’s requirements for data transfers with U.S. companies were largely identical and equally taxing.
Despite these requirements, the U.K.-U.S.-EU triangle still is one of the most important pieces in the global-transfers puzzle, with trans-Atlantic data flows estimated to underpin more than $1 trillion in trade and investment annually.
Thankfully, relief has arrived. On July 10 the European Commission announced it would, effective immediately, recognize as adequate commercial organizations located in the United States that participate in the EU-U.S. Data Privacy Framework (“DPF”). The EU-U.S. DPF lays out a set of requirements governing participating organizations’ use and treatment of personal data received from the EU and, as applicable, the U.K., as well as the access and recourse mechanisms that participants must provide to EU and, as applicable, U.K. individuals. This coincides with the U.K.’s determination on Sept. 21 that the new U.K.-U.S. Data Bridge “maintains high standards of privacy for U.K. personal data.” The U.K.-U.S. Data Bridge (“data bridge” is the U.K.’s preferred term for adequacy) took effect Oct. 12. With the Data Bridge, organizations in the U.K. will be able to transfer personal data to U.S. organizations certified to the “U.K. Extension to the EU-U.S. Data Privacy Framework” without the need for further safeguards.
Next Steps for Companies
Who is eligible? Companies subject to the jurisdiction of the Federal Trade Commission or the U.S. Department of Transportation may self-certify for the DPF and, if desired, also participate in the Data Bridge. Importantly, the Data Bridge is not available independently and can only be used if a company has already self-certified to DPF and then opts into the U.K. extension.
How does an organization self-certify? The first step is to thoroughly assess eligibility and compliance with DPF Principles. The U.S. Department of Commerce has launched the DPF program website which provides an overview for eligible U.S. companies looking to self-certify. Eligible companies will be able to join the DPF and U.S.-U.K. Data Bridge by committing to comply with a detailed set of privacy obligations, including developing a conforming privacy policy that protects data subjects’ rights under GDPR, identify an independent recourse mechanism and publicly commit to compliance with DPF Principles in addition to other requirements. U.S. companies will also be required to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure “downstream” continuity of protection when personal data is shared with third parties.
Companies that previously self-certified to comply with Privacy Shield could begin relying on DPF if they recertify compliance in accordance with the DPF Principles and issue updated privacy policies reflecting changed procedures and data subject rights.
Are there any additional requirements post-certification? Organizations must annually recertify their compliance with DPF Principles. Companies must handle complaints, access requests or other issues. Addressing some of the concerns underlying the invalidation of Privacy Shield and Safe Harbor, DPF requires certifying companies to provide readily available recourse mechanisms to investigate unresolved complaints, including a free system of alternative dispute resolution (ADR) by an independent third party. These dispute resolution systems must be in place prior to self-certification.
Ultimately, the implementation of Data Bridge and the commission’s adequacy decision are significant steps toward a more scalable, streamlined and multisided international approach to ensuring safe trans-Atlantic personal data transfers. These moves will allow the U.S., EU and U.K. to facilitate the transfer of data benefiting organizations and individuals on both sides of the Atlantic.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.
[View source.]
