Since the invalidation of the Privacy Shield, legal departments and DPOs have been busy putting in place Standard Contractual Clauses for all data transfers to the US.
More recently, following the Schrems II ruling, additional measures were to be put in place.
However, the approval of the Data Privacy Framework has changed all that. What new rules need to be put in place for these transfers? Do new documents need to be drafted? What about the Standard Contractual Clauses that have already been agreed to?
The European Union and the US Department of Commerce have agreed to a new agreement called the Data Privacy Framework (DPF), which replaces the Privacy Shield, the successor of the Safe Harbor. Both previous agreement where invalidated by the Court of Justice of the European Union (CJEU). Like its predecessors, this agreement is based on self-certification. The companies undertake to respect several principles and to submit any dispute concerning the implementation of the programme to the American Authorities, in particular, the Federal Trade Commission (FTC). Disputes are resolved through independent mechanisms, with possible recourse to the European regulatory authorities.
To benefit from this agreement, US companies must have an external policy on personal data that complies with the programme and includes several mandatory provisions. It is also compulsory to designate a recourse mechanism before subscribing to the framework. This is even more important as the agreement provides for the possibility of an audit, even though none has been identified to date.
This agreement should in no way be seen as a replacement for the GDPR, even though some American companies have embarked on this path. These are two very different things. Data collected by a company based in the United Staes by an American importer must comply with the GDPR. This self-certification is simply of mechanism that allows data to be transferred without the need for Standard Contractual Clauses, while limiting the risks inherent in the use of personal data.
Despite the agreement, it is preferable to continue drafting these Standard Contractual Clauses and Transfer Impact Assessments as there is no certainty as to the duration of the decision.
To draft a proper Transfer Impact Assessment, you need to have two parts. The first concerns the safeguards and security measures surrounding the transfer, while the second involves an analysis of the regulations applicable in the country of importation. The goal of the Transfer Impact Assessment is to produce a document that enables a detailed risk analysis to be carried out. For the exporter and importer of data, it is necessary to analyse the regulations in the recipient country. This analysis should not be based solely on the importer’s answers, as foreign law has its own procedural nuances. In the event of an inspection by a European authority, you must be able to demonstrate that an analysis has been carried out and that the transfer may or may not take place. This study must detail the arguments that led to the decision.
Cross-border data transfers occur when personal data is transferred from a European Union country to a third country. When you are subject to the Data Privacy Framework, the data must be collected in compliance with the GDPR, but when you transfer the data from the importing country to a third country, the transfer must respect the DPF. One of the new features introduced by the DPF in terms of data security is the obligation for data controllers and processors to explain the security measures taken in consideration with the data being processed. The resulting document certifies compliance with the principles laid down by the DPO.
The Data Privacy Framework provides for several types of independent recourse mechanisms (IRM), enabling EU nationals to have recourse to the European regulatory authorities to resolve disputes. This remedy has not yet been tested. This IRM is a condition for self-certification under the Data Privacy Framework.
As far as possible, the exporter should use this European appeal mechanism because they are the data custodian. Sometimes, they are part of a supply chain or are not necessarily the source of the data and therefore cannot impose it. However, it is legitimate to question the value of this mechanism, since there is not control regarding the use of the data after the transfer.
Regarding the control mechanism held by the Federal Trade Commission, it should first be noted that the United States and the European Union have legally different concepts of data protection. In Europe, regulations play a predominant role and are binding on member states. The United States believes in market self-regulation and has a very liberal view of data. As soon as there is a risk to data because of the nature of the data or its sensitivity, regulations are introduced at federal level, which is subsidiary to the state level. The federal government can only intervene in identified areas. Anything that is not managed at federal level falls within the remit of the States, where the regulator is the Attorney General, elected by the citizens of the State concerned.
The Federal Trade Commission is the regulator for the Data Privacy Framework. It ensures that the entities concerned comply with this regulatory framework. Its mission if also to protect the American consumer. The Federal Trade Commission Act contains a section 5 which punishes unfair or deceptive commercial practices. It was on this basis that the Commission established itself as a regulatory body at federal level. This is explained by its search for legitimacy in this area, since it knows that it was not up to the task when Safe Harbor and Privacy Shield were in force. It comes up against the distinction between federal and state governments, which means that it cannot necessarily take the place of the Attorney General of the various states, even though the Data Privacy Framework gives it authority in this area. However, the Federal Trade Commission’s jurisdiction remains limited, is it only applicable to companies that are self-certified under the Data Privacy Framework.
The disadvantage is that many small companies think that self-certification will solve all their problems. As soon as a company enters the Data Privacy Framework, it blindly accepts, as an importer, to be audited by the Federal Trade Commission, or even the Department of Transportation, which may join the FTC in an audit. Other US federal authorities may also carry out audits. However, many small companies do not know what they are exposed to in the event of an audit. It is therefore reasonable to ask whether companies understand the risk they are taking by agreeing, in advance, to be subject to these regulators, and whether it is really worthwhile for them to submit to the US regulator rather than accept Standard Contractual Clauses and manage the contractual risk.
Furthermore, the future of the Data Privacy Framework is uncertain; it is not possible to know whether it will be invalidated, although it will certainly be put to the test. As soon as the Data Privacy Framework was announced, many Americans took it for granted. Since the announcement of several challenges, their position has changed. They see this as an opportunity to limit administrative efforts over a period of 4 to 5 years. Ther future of this new agreement is unknown, but an obligation to document what has been done in terms of Transfer Impact Assessment and Standard Contractual Clauses remains.
In the context of the Data Privacy Framework, there is a great deal of educational work to be done insofar as many organisations have specialised in providing support through (unofficial) audits to document compliance with the principles set out in the Data Privacy Framework. It should be borne in mind that the DPOs in the United States are still a very European creation. Very few companies have appointed done, and very few companies with a high level of activity in Europe have appointed a representative in accordance with the requirements of Article 27 of the GDPR.
Once a company has been certified under the Privacy Shield, it can continue under the Data Privacy Framework, without having to start the certification process all over again. However, it was necessary for the company to update its policy to bring it into line with the Data Privacy Framework before Octobre of this year. Most of these companies continue to honour the Standard Contractual Clauses as a complement, as they do not know what they are exposing themselves to with the Data Privacy Framework. For the moment, there has been not position on the Data Privacy Framework from the regulatory authorities.
Mathilde Jehanno et Alexis Dessaints