The ability to transfer data is a key issue for many companies. In light of the record-breaking fine the Irish Data Protection Commission (DPC) imposed against Meta Ireland in May 2023, companies are very aware of the need to ensure compliance with the General Data Protection Regulation (GDPR) rules around data transfers.
The European Commission recently adopted its Adequacy Decision for the EU-US Data Privacy Framework (DPF). The DPF is a self-certification programme, which contains principles that are broadly unchanged from the previous Privacy Shield framework.
In this article, we set out:
- The key issues concerning the law around data transfers
- The recent developments in this area, and
- Some practical considerations arising out of the DPF that companies ought to be aware of
Key issues concerning data transfers
Flows of personal data to and from the European Economic Area (EEA) are necessary for international trade and co-operation. However, the transfer of this personal data to controllers and processors located outside the EEA must be done in full compliance with Chapter V of the GDPR, so as not to undermine the level of protection of the individuals concerned.
Two key takeaways on the law around transfers are:
Adequacy decisions are one of the tools provided under the GDPR to transfer personal data from the EEA to third countries which, in the assessment of the European Commission, offer a comparable level of protection of personal data to that of the EU. At present, the European Commission has recognised 15 jurisdictions, or specific sectors in a third country, as providing adequate protection.
As a result of these adequacy decisions, personal data can flow freely and safely from the EEA to these third countries, without being subject to any further conditions or authorisations.
Other transfer mechanisms
Transfers to a third country that do not benefit from an adequacy decision can only take place on the basis of one of the other transfer mechanisms in the GDPR. These transfers may need to be accompanied by further supplementary measures to ensure adequate protection.
Standard Contractual Clauses (SCCs) are by far the most popular. Some large global companies use Binding Corporate Rules instead of SCCs. However, these can be onerous to put in place and can only be used by corporate groups or groups of enterprises engaging in joint economic activity.
Outside of these mechanisms, data exports become much trickier as companies must rely on narrow derogations in Article 49 of the GDPR, which are strictly interpreted by regulators.
It was announced in May 2023 that Meta Ireland was fined €1.2 billion by the DPC for its transfers of the personal data of EEA users of the Facebook service to the United States using SCCs.
The DPC ordered Meta Ireland to suspend its transfers of Facebook user data to the US after the expiry of a compliance period.
The DPC decision reflected core uncertainties around US data transfers from Europe, following the judgment from the Court of Justice of the European Union in 2020 known as Schrems II. For a refresh on the Schrems II decision, see our vlog.
In response to Schrems II, the European Commission issued revised SCCs in 2021, which must now be used for data transfers if that is the transfer mechanism chosen. See our previous article about the 2021 SCCs.
Use of these 2021 SCCs requires companies to conduct their own Transfer Impact Assessments (TIAs). They are also required to adopt supplemental measures to address shortcomings identified in the laws of the importing country before the data transfer takes place.
While the DPC accepted that Meta Ireland had acted in good faith when it entered into the 2021 SCCs for the Facebook service and adopted supplemental measures, the DPC found that this was not enough due to the nature of US surveillance laws.
The Data Protection Commission also made it clear that its findings against Meta Ireland could apply to many other internet platforms that export data to the US. This clearly demonstrated the urgent need for a political solution that could restore certainty to EU-US data transfers.
Where does that leave us now? The EU-US Data Privacy Framework
The European Commission adopted a new Adequacy Decision for the EU-US Data Privacy Framework in July 2023, restoring EU-US data transfers to a sound legal footing. See the related press release.
The new DPF is the end result of detailed negotiations between the European Commission and the US Government to address the concerns raised by the CJEU in Schrems II.
Notably, President Biden adopted a new Executive Order on 7 October 2022, which introduces new safeguards for access to, and use of, personal data by US intelligence agencies. The Executive Order establishes a new two-tier redress mechanism for individuals in “designated” states who are concerned that their personal data has been unlawfully collected or accessed.
The US Department of Commerce is charged with administering and monitoring the DPF programme. The International Trade Administration, which sits within the US Department of Commerce, launched its EU-US DPF website on 17 July 2023. US companies are now able to review the key requirements for participating organisations, including how to join the programme.
What does this mean in practice?
European organisations are now once again able to transfer personal data to participating companies in the US without having to put in place additional data protection safeguards.
New certification programme for US companies that import EEA data
The Data Privacy Framework has created a new certification programme for US companies importing EEA data to accredit with the US Department of Commerce. This is similar to what took place under the old Privacy Shield programme.
US companies can participate in the EU-US Data Privacy Framework by self-certifying their compliance with the DPF Principles via the DPF programme website and must publicly commit to this compliance.
According to the DPF website’s FAQs, these include “seven commonly recognized privacy principles and sixteen equally binding supplemental principles that explain and augment those seven privacy principles”. These also include privacy obligations, such as purpose limitation and specific obligations concerning data security, and the sharing of data with third parties.
US organisations who had maintained their Privacy Shield certification automatically transfer to the DPF. However, they must ensure their full compliance with the DPF Principles by updating their privacy policies to, among other things, refer instead to their commitment to comply with the “EU-US Data Privacy Framework Principles”. Organisations must include references within three months of the effective date of the DPF Principles, that is by 10 October 2023.
All registered organisations can be found on the Data Privacy Framework List. In most cases, it is anticipated that the certification process will take a number of weeks.
As of 10 July 2023, where a company has been certified and appears on the Data Privacy Framework List it will be possible to transfer personal data to that organisation without the need for another GDPR transfer mechanism or further supplementary measures.
Transfer Impact Assessments can take account of the European Commission’s US Adequacy Decision
Where an EEA-based data exporter wishes to transfer data to a US organisation that does not participate in the DPF, or would prefer to rely on an alternative transfer mechanism such as SCCs, the new Adequacy Decision is still relevant. This is because the safeguards implemented in US national security law to address the CJEU’s concerns in Schrems II will also apply to transfers carried out on the basis of other transfer mechanisms.
If a company uses SCCs to transfer data to the US, conducting a TIA should therefore become far easier. This is because, as part of the transfer impact assessment, account can be taken of the European Commission’s Adequacy Decision for the US and its findings of equivalence.
While this article has focused on recent developments regarding EU-US data transfers, similar considerations apply to transfers to other third countries. View a list of the other countries and sectors benefitting from an adequacy decision.
Personal data flowing freely to and from the EEA is a key cornerstone of the global digital economy. However, transfers to third countries or international organisations outside the EEA must be done in full compliance with the GDPR to ensure individuals' rights and freedoms are protected.
The area of international data transfers has received a lot of attention these past few months. However, the recently finalised Data Privacy Framework has brought greater certainty to companies that rely on transfers of data from the EEA to the US. Now, European organisations exporting personal data to those US organisations certified under the DPF appearing on the Data Privacy Framework List are once again able to conduct those transfers without having to put in place additional data protection safeguards.
Also, European organisations that continue to rely on SCCs for their US data exports can still benefit from the Data Privacy Framework by leveraging the safeguards implemented by US national security law and endorsed in the recent EU-US Adequacy Decision in their Transfer Impact Assessments.
For more information and expert advice on international data transfers, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
People Also Ask
What is the legal basis for international data transfers under the GDPR?
Chapter V of GDPR offers several legal mechanisms for the transfer of personal data to third countries or international organisations. For example,
Can a data controller in Ireland transfer personal data to outside the EEA?
Under the GDPR, the transfer of personal data from an EEA to a non-EEA jurisdiction is unlawful unless: