One year after the adoption of the EU-U.S. Data Privacy Framework ("DPF"), the European Data Protection Bord ("EDPB") has published FAQs aimed at clarifying the constraints on European companies transferring personal data to the United States.
Ever since the GDPR came into force, the issue related to the extra-European transfer of personal data has always assumed extreme importance, also in view of the stratified European and national pronouncements on the subject; in this context, the transfer of data to the United States is particularly relevant.
Aiming to fill the gap left by the "fall out" of the notorious Privacy Shield, on July 10, 2023, the European Commission approved the Adequacy Decision for the Data Privacy Framework ("DPF"), intended to ensure an adequate level of protection for personal data transferred from the EU to U.S. member companies, without requiring European entities to implement additional data protection measures.
The DPF is based on a self-certification system under which U.S. companies agree to comply with a number of data protection obligations, such as, for example, the principle of purpose limitation, as well as data minimization and data retention obligations (for more on "EU-US PERSONAL DATA TRANSFER: DATA PRIVACY FRAMEWORK APPROVED").
One year after the approval of the DPF, the EDPB has published FAQs for European companies transferring data from the European Economic Area to U.S. companies participating in the agreement. At the beginning, the document specifies that not all companies may be included in the framework of the DPF, which applies only to companies subject to the investigative powers of the Federal Trade Commission or the Department of Transportation. Thus, nonprofit organizations, banks, insurance companies and telecommunications service providers, among others, remain excluded.
In addition, the FAQ shows how European companies before transferring data to U.S. companies must verify that the self-certification under the DPF is valid and active by consulting the public registry available on the U.S. Department of Commerce website. This verification must also be performed with respect to affiliated companies if data are transferred to the affiliate and not to the head company. In addition to this, European companies may only transfer data if there is a legitimate legal basis for processing and if the principles enshrined in the GDPR, such as purpose limitation, proportionality, accuracy, and information obligations towards data subjects, are complied with throughout the transfer.
Finally, the EDPB reminds that if a data controller, based in the European Union, transfers data to a data processor based in the United States, it will need to make a formal nomination as a controller under Article 28 GDPR regardless of whether or not the "recipient" is an adherent to the DPF. Moreover, where the data processor adheres to the DPF and, in addition, makes use of sub-processors, these sub-processors will also need to assure the data controller of the existence of appropriate technical and organizational measures compatible with the scenario dictated by the framework under comment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.