Uncertainty surrounding the legal use of American suppliers has been challenging for many businesses in recent years. Now the US and the EU have finally agreed on a framework for the transfer of personal data – the Data Privacy Framework (DPF). This means that it will now be easier to legally transfer data to the USA. But before you let the cheers go, you need to check whether the supplier you want to use is certified.
On 10 July 2023, the European Commission made an adequacy decision that the US has an adequate level of protection for personal data transferred from the EU to businesses in the US. The decision has been taken on the basis of the new framework, and applies to transfers made to US companies that are included in the “Data Privacy Framework List”. As of this date, it has become significantly easier to legally transfer data across the Atlantic. Following the decision, the European Data Protection Board (EDPB) has published guidance on the meaning of the new framework.
Below we summarize the consequences of the framework for businesses that transfer personal data from the EU to the USA.
The decision is a sort of stamp of approval on the US as a recipient country of personal data, and on businesses in the US that are on the “Data Privacy Framework List”. This makes it unnecessary to enter into EU standard contracts (SCC), and to carry out the demanding assessments of the level of protection, as well as having to require additional measures to protect the personal data in accordance with the GDPR. This saves your company time and money.
Check that the business is certified
The basis for the transfer only applies to US businesses that are on the Data Privacy Framework List. The fact that the businesses are on this list means that they are certified and are approved as safe businesses. The requirements for the American businesses are relatively similar to those under the previous transfer basis, Privacy Shield. This means that most businesses that were certified under the Privacy Shield are still certified. Here you will find the overview of certified businesses.
If the business is not listed, you must take care to provide an alternative transfer tool as before, and make the same assessment of security. In this context, the European Data Protection Authority emphasizes in its guidance that all security measures implemented by the US authorities apply to all data transferred to the US. Regardless of which transfer tool is used. Therefore, as a data exporter, you can base the assessment carried out by the Commission on the effectiveness of the chosen transfer tool.
In short, the commission has done the assessment for you, and using alternative transfer tools is therefore also significantly easier.
Also keep in mind that even if the US business is on the Data Privacy Framework List, their subcontractors may not be. Therefore, always check the entire range of suppliers, to ensure legal transfer tools.
Update all information
You must always take care to update the information provided regarding the processing of personal data. Regardless of how you choose to transfer these. And you must ensure that both privacy statements and data processor agreements are updated. This must be done so that your contracting parties and users/customers can communicate which transfer tool is in use. Also remember that your business must always enter into data processing agreements, even if the American business is on the Data Privacy Framework List.
In the data processing agreement, you should always include an obligation for the American business to regularly confirm its certification. When the data processor agreements and privacy statements are updated, internal guidelines should be updated and employees informed so that they know which transfer basis is used.
How should you proceed?
- Check the list of US businesses to which your company already transfers personal data and see if these are listed on the Data Privacy Framework List.
- You can search for certified businesses here: www.dataprivacyframework.gov/s/participant-search
- Ask for regular confirmation that your suppliers (or subcontractors) are certified under the EU-US Data Privacy Framework. This can be done in the data processing agreement.
- Look at previous assessments (TIAs) of data transfers (for example using Standard Contractual Clauses) – you can strengthen these using the new framework.
- When entering into new agreements that involve transfers to the USA, check whether the business you are transferring to is listed on the Data Privacy Framework List.
- If the business (or its subcontractors) is not listed on the Data Privacy Framework List, you must find an alternative transfer basis. Remember that it is less demanding to document the legality of transfers to the US, in light of the new framework.
- Update your data processor agreements and internal and external privacy policies and declarations.