In an effort to give greater clarity to the regulation of international personal data transfers from the EU to the U.S. on 16 July 2024, the European Data Protection Board ("EDPB") published two sets of FAQs relating to the EU-U.S. Data Privacy Framework ("DPF") for (i) businesses in the European Economic Area ("EEA"); and (ii) individuals in the EEA who have personal data transferred to a U.S. company under the DPF.
While both FAQs provide a high-level overview of the DPF, the business FAQs provide additional information for organisations to consider when transferring personal data to controllers or processors in reliance of the DPF, as well as subsidiaries of such organisations. The FAQs for European individuals provide information on the rights that may be exercised over personal data transferred in reliance of the DPF, and how complaints are handled under the DPF.
Background to the FAQs
The EDPB is the independent EU body tasked with the consistent application of the GDPR across the EU.
The DPF is a self-certification mechanism which allows for the transfer of personal data from the EEA to certified businesses in the U.S. without the need for additional safeguards, such as the standard contractual clauses (for further background information on the DPF, please see our article on New EU-US Data Privacy Framework – Key takeaways for transatlantic data transfers).
FAQs for Businesses
- Transfers to U.S subsidiaries of self-certified organisations. When an organisation intends to transfer personal data to a subsidiary of a DPF-certified organisation, it must confirm if the certification of the parent company also covers the subsidiary company concerned. This can be done by finding the relevant DPF-certified organisation within the DPF certification list, and checking whether the subsidiary is named in the list of covered entities.
- Transfers to an organisation in the U.S. acting as a controller. Prior to the transfer of personal data to a DPF-certified U.S. organisation acting as a data controller, the data exporter must ensure that the transfer complies with all relevant provisions of the GDPR. In particular, it must identify a legal basis for processing, comply with data protection principles and provide relevant information about the data transfer to data subjects, such as the identity of the recipients of their data, and that the relevant transfer of their personal data will be proceeding in reliance on the DPF.
- Transfers to an organisation in the U.S. acting as a processor. Prior to the transfer of personal data to a DPF-certified U.S. organisation acting as a data processor, the data controller exporting personal data from the EEA must conclude a data processing agreement containing all the requirements under Article 28 of the GDPR. Where the U.S. processor engages a sub-processor to conduct specific processing activities on behalf of the EEA controller, it must ensure that the sub-processor is subject to the same data protection obligations in the data processing agreement between the data controller and the data processor. The U.S. processor will remain liable to the controller for the performance of the sub-processor's obligations.
FAQs for Individuals
- Redress avenues. The DPF provides several ways for individuals to obtain redress for complaints, such as by contacting the participating business directly, submitting a complaint to the relevant DPF-certified organisation's independent recourse mechanism provider (as designated on the organisation's entry on the DPF certification list), submitting a complaint to a relevant Data Protection Authority ("DPA") in the EU, contacting a relevant U.S. enforcement authority, and invoking binding arbitration.
- Complaint procedure. Individuals are
encouraged to first contact the DPF-certified organisation with any
questions regarding the processing of their personal data by such a
company before making use of other avenues for redress. However,
the EDPB notes that if their the individual's concerns are not
resolved by the organisation, or if the individual has reasons to
avoid addressing their complaint to the organisation, they may
contact any DPA in the EEA. From a practical point of view, this
DPA is likely to be the national DPA of the country where the
individual resides or works in, or the national DPA of the EU
member state from which the individual's personal data was
transferred to the U.S.
While binding arbitration and contacting the U.S. enforcement authority are also available as a means for individuals to obtain redress, the guidance on DPF complaints procedure indicates that these should only be used after other avenues for recourse have been explored or exhausted and not used as a standalone means of redress. - How complaints lodged with EU DPAs are
handled. If the DPF-certified organisation has designated
the EU DPAs as its independent recourse mechanism provider, or if
the complaint concerns the processing of human resources data
collected in the context of an employment relationship
("HR Data"), an informal panel of EU
DPAs will be set up to handle to complaint. This panel will launch
an investigation and invite both the complainant and the relevant
DPF-certified organisation to express their views, and can issue
binding advice to the DPF-certified organisation.
However, if the complaint does not concern the processing of HR Data or if the DPF-certified organisation has not committed to cooperate with EU DPAs, the panel of EU DPAs will not be competent and may refer the complaint to the relevant U.S. authorities, such as the Federal Trade Commission, the Department of Transportation, or the Department of Commerce.
Depending on the circumstances of the case, the national DPA may also directly exercise its enforcement powers on the data exporter (such as enforcement orders to prohibit or suspend data transfers).
Commentary
Both FAQs are timely in light of the DPF's uptake; as of July 2024, more than 2,800 enterprises have certified to the DPF, the majority of which are small and medium-sized businesses1. The FAQs provide welcome clarification for organisations currently certified to the DPF, and for those currently considering becoming certified, and offer targeted guidance to accompany the general FAQs on the DPF published by the European Commission last year.
In addition, the FAQs for individuals are clearly aimed at assisting individuals with understanding their rights and recourse avenues available under the DPF and can be read in conjunction with the EDPB's template complaint form. This is reflective of an underlying commitment by European regulators to ensure the durability of the DPF, particularly in light of commentary indicating that the likelihood of a successful legal action to challenge the DPF will depend on how effective its recourse mechanisms work in practice.
Although the FAQs are helpful, there are some limitations, especially for organisations relying on the UK-U.S. and Swiss-U.S. Data Privacy Frameworks ("UK DPF" and "Swiss DPF" respectively) as well as the DPF. Unsurprisingly, the EDPB does not opine on non-EU laws or agreements, so it remains to be seen if the UK's ICO or the Swiss FDPIC (the data protection regulators of the UK and Switzerland respectively) follow the principles set out in the FAQs. Regardless of whether any formal position is taken outside the EU, the FAQs reflect DPF principles which are applicable to all frameworks, and refer to guidance on the DPF program's website which encompasses both the Swiss and UK regimes. Therefore, all organisations and individuals transferring personal data or who have personal data transferred to the U.S. under any Data Privacy Framework would do well to follow the FAQs.
Footnote
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.