Bytesize Legal Update: the EU US Data Privacy Framework
Locations
Welcome to this Bytesize legal update from Mark Webber and Jess Solsberg at Fieldfisher Silicon Valley.
A flurry of information has been released over the past week or so regarding the EU-US Data Privacy Framework (DPF), so we're really excited to share with you some of the updates on timeline around certification to the new framework. We'll give you some information on how the DPF is different to the original Privacy Shield framework and what you need to do to get yourself certified.
Listen to the podcast recording of this discussion:
An introduction to the EU-US Data Privacy Framework
The Data Privacy Framework will provide organisations with a mechanism to transfer personal data from the EU to the US without the need for another mechanism, so they don't need to consider things like Standard Contractual Clauses (SCC's) or the model clauses, as we call them, or Binding Corporate Rules (BCRs). The DPF is intended to re-establish the data bridge between the EU and US after the Privacy Shield was invalidated, and will enable the free flow of personal data between the EU and the US for organisations that have self-certified.
We should say that we're commenting on this ahead of the 17th of July, so there remain some questions on process, but given the publications and the detail we've seen published over the last week or so, we're still fairly confident about what applications will look like. And although we're talking about the EU-US Data Privacy Framework, we should also say that the UK and Swiss are also playing ball, so there's going to be options for UK and Swiss data.
How is the Data Privacy Framework different to the Privacy Shield?
The DPF is actually based on the Privacy Shield, with certain improvements to address the concerns of the CJEU raised in Schrems 2. The principles remain substantively the same and are renamed from the privacy principles to the EU-US DPF principles. The process for self-certification and recertification annually will also remain very similar, but organisations will rather be certifying to the new DPF framework rather than the Privacy Shield.
The main differences relate to restrictions on US intelligence authorities and their access to European data, to the extent that access is now necessary and proportionate. The US has also established a two-tier redress mechanism to address complaints from EU individuals, which helps address the concerns from the Schrems 2 decision, where the court found that the US lacked an independent redress mechanism for EU individuals and that US intelligence authorities possibly had too broad access to EU citizens' data.
When will the data privacy framework be implemented?
On the 10th of July, the European Commission adopted its long-awaited adequacy decision for the DPF. So effectively it's here now and it's effective immediately. The new adequacy decision allows for personal data to flow from the EEA to the European Union countries, plus Norway, Iceland and Liechtenstein to those DPF certified US companies without the need for additional safeguards.
What if your organisation is still certified under the Privacy Shield?
Organisations that are certified under the Privacy Shield and are self-certifying their commitment to comply with the DPF principles must comply with the principles, including updating their privacy notices, by October 11th [JR1] of this year.
It must be noted, though, that updating and renaming of the privacy principles under the DPF does not change the organisation's recertification due date. So what we're saying here is that organisations that have maintained their Privacy Shield certification effectively have three months from the date of the adequacy decision to either withdraw from the Privacy Shield or update their privacy policies to refer to their commitment to comply with the new framework. The framework itself doesn't create any substantive new obligations for certified organisations, so it's not quite what we thought, as the actions will in part depend on when the organisation's renewal date lands. The big revelation is that the US Department of Commerce (DOC) is effectively grandfathering Privacy Shield participants into the DPF until their renewal date. Clearly, any organisation staying in will have to update their notices by the 11th of October, and then they'll recertify as and when their renewal date comes around.
What are some of the benefits of participating in the DPF?
The main one is the US can now ensure an adequate level of protection for personal data by utilising and leveraging the DPF. Data can flow freely between the EU and the US without further conditions or authorisations. We've dealt with some of those tricky issues of necessity and proportionality because President Biden has made some steps in relation to the executive order and implemented US laws and US processes with the US intelligence authorities, which changes some of that access to data. What we do know is the framework is substantially different from the Privacy Shield because it has a new judicial redress mechanism, but that Privacy Shield principles and commitments are not all that different, so it's particularly accessible to those who've gone there before. There's not a lot of changes in practice and that's got to be a real advantage.
The real benefit in participating in the Privacy Shield is taking advantage of an adequacy decision. An adequacy decision is the highest level of decision, so better than appropriate safeguards, better than those derogations, and something which means there is no need to perform a transfer impact assessment (TIA). That TIA is out of the window if you're relying on DPF, so there's a whole lot less to do as and when you consider those transfers and transfers that are subject to the DPF. The other advantage is it looks like the UK and the Swiss authorities are playing ball too, so you almost get a triple whammy. You're going to be dealing with EU data, UK data and Swiss data, although, as you'll see, we do need to think about some of them separately when making our commitments and thinking about our certifications.
What this really means is there's a Plan B for your data transfers and, if you're a vendor, a Plan B for your customers relying on the DPF in relation to data transfers. All in, you've got to look at it as a good news story.
What should organizations be doing next? What do we need to be thinking about now?
There's a lot of information which has come out to make this quite confusing, so we're going to try and lay this out in a succinct, clear way for you. The first thing to consider really is whether you're eligible for the framework. Only US organizations that are subject to the jurisdiction of the STC or Department of Transportation can join the framework. This excludes most financial institutions, telecommunications companies, labour associations and non-profits. You'll then need to consider the principles, which remain substantively the same as the Privacy Shield, but are updated with redress mechanisms and restrictions on US intelligence authorities.
As we mentioned before, organsations will need to check to demonstrate compliance with the principles and whether they can show this.As mentioned earlier, on July the 10th, the adequacy decision entered into force. This means that the DPF program website is scheduled to be brought online by July the 17th[JR2] . Individuals with active accounts that were used with regards to the Privacy Shield program website will be able to use their existing login credentials for those accounts on the new website. You'll then need to consider the process of applying and what information needs to be gathered for this process. We will keep a close eye on this and we'll work to gather a summary as soon as the information is released.
Recapping some of this: the first headline is, if you were never in the Privacy Shield or you formerly withdrew from the Privacy Shield and you want to play in the DPF, you've got to go through that recertification process. If you remained in the shield, you've been grandfathered in and now you're a member of the DPF.
What you've got to consider is "should I stay or should I go"? Now, if you stay, you've got until the 11th of October to either declare participation with those public statements and updating your privacy notice, or you've got to decide whether you want to pull out. If you're pulling out, you've got to be thinking quite carefully because there's a formal process for doing so. So whether you're staying or you're going, there's something to do.
If you're staying, there's quite a lot to do. You've got to make changes to your websites, your public statements referring to DPF and not Privacy Shield (relying on that again in relation to the making of your transfers), thinking about your privacy notices, your employment privacy notices, applicant privacy notices, any kind of agreements or documents that explain your privacy practices and transfers. If you're going to be a member of the DPF, you've got to think about your DPA making commitments to customers, to the controllers (or to other controllers if you've got C2C arrangements).
Also, you have to think about flow downs. When you're pushing data out to third parties and there's onward transfers, am I flowing down commitments in relation to the data privacy framework principles and ensuring that onward commitment or the FAQs and information that we see from the DOC allows us? Are we going to be allowed to move off and rely on other transfer mechanisms, like model clauses for those onward transfers? Now, there is a bit of a question there. When you're thinking about all of this, you need to be thinking in three different buckets.
There's a lot of focus on the EU, because the EU has led this, but, as we've said, you need to be considering Swiss participation aswell. If you're interested in Swiss participation and you were participating in the Swiss framework, you're automatically grafted in as of the 17th of July, but you've got until the 17th of October to update your privacy policies and your notices and your documents. There's no separate application required in relation to the Swiss DPF. Then, if you think about the UK, we've talked about the UK setting up a data bridge. As the UK system is slightly different (and because of Brexit and this alternative participation) regardless of whether you are in or you are out. You need to be thinking about whether you want to participate in the UK-US data privacy framework (or the data bridge as it will be known), You then have to take an additional step to self-certify compliance. In relation to the UK extension, it is interesting to note that you can participate in the EU framework without the UK, but you can't participate in the UK framework without the EU. So a few different decisions need to be made.
The other thing that is important about the UK is that although you can certify compliance to the UK data bridge as of 17th of July, the UK government does have to take a few additional steps and therefore you might have certified, but you can't rely on the UK data privacy framework until the UK government has taken those steps. At some point in the next weeks or months, they will take those steps and then you can finally rely on the UK mechanism as a formal, lawful transfer mechanism.
So breaking it down, understanding what you're doing, thinking about how you break down the UK, Swiss, European principles within your documents and your certification process, will be relatively simple, but something you've just got to think about in terms of tactics and strategy.
There's just one last point to note. If you could declare that you are going to participate, then you need to consider what your renewal date is under either the EU, UK or Swiss Privacy Shield. If it falls before October the 11th, there is more pressure on your decision making. So by the recertification date you'll need to recertify your participation, but you'll have to wait until the 11th of October to make the changes.
If it falls after October the 11th, then you'll need to make a public declaration of participation by October the 11th and make your changes to websites, notices etc. You'll remain in the DPF until your renewal date, at which point you'll then recertify. You'll then pay your recertification fees and recertify to compliance with the data privacy framework principles at that stage. Or, as we said, you can decide to pull out completely, and ideally you'd do this before October the 11th to avoid any disclosure obligations.
Is there any chance of the data privacy framework becoming invalidated again?
I think a lot of organisations are worried, obviously, given the Schrems decision, that the data privacy framework is likely to be invalidated again and this is all a waste of time.
However, this is a more robust framework than the frameworks of the past. TheCJEU, the European Commission and US authorities have spent a lot of time on this. So you would hope not, but we have to prepare and expect for a claim and I think, as you're sitting down to decide whether you're going to rely on the DPF or whether you're going to buy into the new mechanisms, that's something you need to consider quite carefully.
Effectively, only time will tell, but yes, there is a possibility. One of the main reasons the Privacy Shield was invalidated was because the EU courts found that the US lacked an independent redress mechanism for EU individuals and they saw US intelligence authorities possibly having access to a broad range of EU citizens data. However, with the DPF, the US has addressed this and, in particular, outside of the framework, but as a part of the Biden executive order and some of the commitments the US has made, we now have concerns addressed. The executive order limits US intelligence activities to what is necessary and proportionate, but, importantly, a newly created data protection review court will investigate complaints from EU individuals and offer that avenue for address. So we've seen some more limitations and the avenue for address and so I think hopefully it'll be relatively robust.
Of course, there could be a challenge. That will be a slow challenge and we don't know whether it will be successful. I think the more this is adopted, the more backing there is for this and the more companies take this seriously, the more robust it will be. It's one of those things that we'll be monitoring along with everyone else, but it's not necessarily something you want to ignore. I mentioned a Plan A and a Plan B. For many companies they've only had a Plan A for a long time and that's been a long and cumbersome process for US transfers. Relying on SCCs and the appropriate safeguards that they offer an adequate decision is a higher standard and it's something which is really attractive.
We'll be keeping a close eye on developments as they're revealed over the next few weeks when the certification portal goes live. We'll keep you updated, but if you want to know more in the meantime, don't hesitate to get in touch with a contact at the Fieldfisher Silicon Valley office for more information and advice on the topic.