After long negotiations, the new adequacy decision for processing personal data of EU data subjects in the United States resulted in new rules and the setting up of new organisations in the US and an adequacy decision by the European Commission. This enables the transfer of personal data only by organisations in the US who register to the EU-U.S. Transatlantic Data Privacy Framework. Organisations registered to the predecessor of the new framework, the Privacy Shield, retain their registration if they maintained it and continue to fulfil the conditions. The list of organisations registered can be found here: https://www.dataprivacyframework.gov/s/participant-search.
As mentioned above, it is not only the Commission adequacy decision which is new, the United States also undertook a number of measures, in particular concerning the regulation of surveillance of electronic communications, to harmonise the American rules more with the European data protection requirements.
The main measures are included in an Executive Order of the President of the United States, determining the conditions of surveillance and creating an institutional structure for complaints and redress for data subjects whose data are acquired by US national security agencies.
Nevertheless, the new framework is subject to much criticism
whether it indeed complies with European data protection standards and the
first challenge asking to invalidate the adequacy decision already reached the
European Court of Justice. The court refused to grant an injunction to
immediately suspend the application of the adequacy decision. The reason,
however, was that the applicant could not demonstrate that the prejudice
suffered due to the transfer of personal data to the US would justify an
immediate action by the Court, and thus this rejection gives no indication
whether the Court will at the end uphold or annul the adequacy decision.
Further applications to annul the adequacy decision may be submitted to the
Court of Justice within some weeks. See https://www.portfolio.hu/en/business/20221103/the-new-transatlantic-privacy-framework-will-it-protect-our-data-better-576413 for my evaluation of the compliance of the US measures.
Therefore, some American companies may decide not to register to the framework but use the Standard Contractual Clauses approved by the Commission as a legal basis for receiving personal data of European data subjects. The validity of these clauses was upheld by the Court of Justice when it invalidated the predecessor of the framework, the Privacy Shield. These clauses contain all conditions the data importer has to fulfil to provide a protection required by European law.
To apply these clauses, however, it is necessary that the data exporter (the data controller in the European Economic Area, providing the data) and the data importer (the recipient of the personal data in the US) establish that the US legal system enables the data importer to comply with the conditions of the Standard Contractual Clauses. The main point in this compliance is the access of US national security agencies conducting surveillance of electronic communications or entitled to request access to personal data held by the US organisation (the data importer). With the measures taken by the US, as mentioned above, this can be assumed, therefore Standard Contractual Clauses can also be used when the assessment of the factors influencing the compliance of the data importer with the clauses (called “Transfer Impact Assessment) are documented.
The assumption, however, that when the Transatlantic Data Privacy Framework is invalidated, transfer can continue undisturbed using Standard Contractual Clauses, is not necessarily true. If the framework is invalidated due to the inadequacy of the measures taken by the United States in respect of surveillance by national security authorities, the above mentioned assessment that the conditions of access of national security authorities to personal data transferred by European data controllers (EU institutions) or processors (our contractors) comply with the European rules, is also invalidated.
The new framework does not change the requirements of exchange of personal data with U.S. public authorities and neither with commercial organisations who are not registered.
The European Data Protection Supervisor has also made clear that the framework only provides the basis for the US being the destination of the transfer but does not override any other data protection rule.
Thus, data can nevertheless be transferred only if there is a valid legal basis to do so and the data exporter is obliged to protect the rights of the data subjects according to EU rules. This means that transfer should be necessary for a reason as listed in Article 6 GDPR (task in the public interest, contract, legal claims, etc.). There are two legal bases in this article which should be considered separately: consent must be given freely, explicitly and specifically, in possession of all relevant information by the data subjects while legitimate interest of the controller has to be weighed against the interest of privacy of the data subjects. Beyond that, only the data needed should be transferred, these should be used (also by the data importer) only for the purpose for which they are transferred and the data should be deleted or returned by the recipient once they are not needed any more. Ensuring that the data protection principles are followed by the recipients also makes the data exporter more prepared to find an appropriate solution when the Transatlantic Data Privacy Framework is eventually invalidated.
Therefore, although formally it will be possible to share data and use U.S. providers easier, it is necessary to
· insist on signing appropriate agreements with data protection clauses when contracting U.S. entities just as we do with European data processors and other partners;
· avoid using providers from the U.S. who are not reliable in how they process personal data, and use European providers if they are available;
· if possible, insist on contracting the EU entities (subsidiaries) and on storing personal data processed on behalf of the data exporter in European data centres - this was the solution applied widely before data transfer framework – to mitigate the risk of invalidation of the Framework;
· document the necessity to transfer data for a legitimate reason or that the consent was given freely, explicitly, including for the data transfer and use of the data by the data importer and that the data subject was properly informed.
The consequence of requiring that data importers comply with European rules is sometimes alleged to be protectionist and hindering free trade, in particular in digital services. The risk of non-compliance and the administrative requirements if there is no adequacy decision, indeed give an incentive to use European providers or at least European subsidiaries and European data storage. Adequacy decisions are a means to alleviate these concerns but mean an evaluation of the legal system of the target countries by a European body. Nevertheless, this is necessary for the protection enshrined in European law, the EU treaties, the Charter of Fundamental rights and the Convention 108 of the Council of Europe. Therefore above advice is somewhat sensitive
If a US solution is more advantageous than a European one, the advantages have to be weighed against the additional effort and risk of transfer. If the two are equivalent, there are more advantages in choosing the European one than just data protection. The argument actually can also be turned around: privacy features should be one of the aspects of evaluating a solution. There are a number of other features (like safety of products) where this works. Data protection just introduces another feature to be taken into account.
Comments
Post a Comment