Navigating the Impact of the EU-U.S. Data Privacy Framework

The framework introduces new binding safeguards, such as new obligations in relation to access to data by U.S. intelligence agencies as adopted in Executive Order 14086 “Enhancing Safeguards for U.S. Signals Intelligence Activities,” and establishes a Data Protection Review Court to review and resolve EU citizen complaints relating to EU-U.S. data transfers. However for EU organizations sharing with non-certified U.S. organizations nothing fundamentally changes as they still must:

• Use EU Standard Contractual Clauses and apply EU recommended safeguards for transfers.
• Complete transfer assessments, although the risk profile for sharing with the U.S. will have reduced.

Whereas for organizations in Europe transferring to certified U.S. organizations, should provide more comfort about the data transfer safeguards. Certified U.S. organisations must commit to privacy principles and obligations around data sharing and security in the U.S. Certified organizations aren’t required to use the EU Standard Contractual clauses but are still required to incorporate appropriate data protection terms into any contract.

Existing Privacy Principles Rule

Self-certification is subject to implementation of and compliance with fundamental data privacy standards, to ensure that data protection is consistent with EU law (and U.K. and Swiss law for the impending extension frameworks). Organizations must be aware that while selecting to self-certify is voluntary, once such an organization does so, and publicly declares its commitment to adhere to the principles, that commitment becomes enforceable under U.S. law., via the U.S. Department of Commerce and other agencies.

The following principles are required to obtain approval to transfer under the new EU-U.S. agreement, and must be demonstrated as part of a privacy policy that is provided to the authorities:

• Notice: An organization must clearly inform individuals about its participation in the Data Privacy Framework and provide specific details as listed prior to any transfer and associated processing of their personal data.
• Choice. The appropriate lawful basis (consent or contract) should be applied, with the operationalization of data subject rights, including opt-out and to be informed about changes to the processing purposes they have agreed to. Explicit individual consent may be required when transferring sensitive personal data.
• Accountability for onward transfer. Contracts and/or clear terms are required clarifying respective parties’ responsibilities to ensure that personal data is processed for any specified purposes and that processing should stop if the principles cannot be fulfilled.
• Security. Organizations processing personal data must take reasonable and appropriate measures to protect and take into account the risks associated with the processing and given the type of personal data being transferred.
• Data integrity and purpose limitation. Personal data should only be processed for the purposes originally permitted and any personal data must be held to its intended use, and maintained as accurate, complete and current.
• Access. Individuals must be given rights of access to personal data that an organization holds about them, along with other rights such as deletion and correction.
• Recourse, enforcement and liability. Organizations are required to implement effective mechanisms for compliance with the principles and recourse for individuals impacted by non-compliance. Organizations should engage expeditiously with any associated complaints or requires for information from individuals and/or regulatory bodies.

A Path to Certification

For the vast majority of companies, self-certification won’t be possible in their current state. While many organizations have made strides in their data privacy programs in recent years, and many are also thinking about how they can leverage the new EU-U.S. Data Privacy Framework, the self-certification requirements are stringent. Only the most sophisticated privacy programs will qualify.

The steps required to meet certification requirements are extensive, however they are also part and parcel of meeting data protection best practices, which most organizations should be addressing anyway. U.S.-based organizations can benefit from this, even if they are not obligated under existing data privacy laws. Benefits include ease of doing business in the EU, improved compliance controls and enhanced business opportunities as a trusted organization.

In addition to implementing a full-scale program that meets the principles outlined above, self-certifying organizations must meet supplemental principles, some of which apply irrespective of whether the recipient organization has certified. These include:

• Prior to making any transfer, European organizations should confirm whether the recipient is certified or not, and if not, will need to use other transfer mechanisms such as standard contractual clauses or other supplemental safeguards.
• Contracts in place when a transfer is made for processing purposes only, even if the U.S. recipient is certified as a participant in the framework.
• Contracts in place for onward transfers.
• Additional safeguards for the use of sensitive data.
• Transparency requirements associated with access requests by public authorities.

Additional Caveats and Potential Gotchas

Aside from the challenges of fulfilling certification requirements, there are also still many unknowns about the long-term efficacy of the new framework. Some of the top issues to be aware of and prepare for include:

• The current framework is still open to challenge in the courts. Just as Privacy Shield was invalidated by Schrems II, there’s the possibility of challenge by Schrems or other privacy watchdogs.
• Contracts are still required for transfers, so the framework will not serve to wholly replace current contracting steps (though over time, these processes will likely become more straightforward for certified organizations).
• Organizations are still subject to the obligations connected with personal data safeguards and suitability of security measures as dictated by applicable contract terms. Theoretically, the parameters in the contracts should align with requirements for certification, but there may be nuances as the initial self-certification process is highly prescriptive.
• Only those companies subject to the jurisdiction of either the Federal Trade Commission or the U.S. Department of Transportation are eligible to self-certify, though the scope of eligibility is likely to broaden in the future. For example, for now, banking, insurance and telecommunications companies are excluded.

For the near term, the new framework is not positioned to change much in the vast landscape of EU-U.S. data transfers. Without self-certification, which requires extensive data privacy controls, organizations will still need to use the legal bases they’ve been relying upon since Privacy Shield was invalidated. That said, the long-term benefits of taking the steps needed to self-certify will surely outweigh the costs of doing so. Particularly as organizations face increased scrutiny for their data protection processes and intensifying global data privacy regulations.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.