Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
|
As of July 17, 2023, U.S.-based multinational employers that can access the personal data of their workforce members in the European Union (EU) via a human resources information system (HRIS), or otherwise transfer the personal data of prospective, current and former EU employees (“HR Data”) to the United States, can rely on a “new,” albeit familiar, legal transfer mechanism to satisfy the GDPR’s data transfer requirements: the EU-U.S. Data Privacy Framework (DPF). Following in the footsteps of its predecessor, the EU-U.S. Privacy Shield (“Privacy Shield”), the newly launched DPF permits U.S. employers to legitimize the transfer of their HR Data by self-certifying with the Department of Commerce to handle EU personal data in compliance with the “DPF Principles,” which are rooted in EU data protection law. Employers that previously certified to the Privacy Shield and maintained their certification do not have to re-certify but will need to take steps to update their compliance with the DPF.
The launch of the DPF follows the European Commission’s July 10, 2023, determination that the DPF ensures an adequate level of protection for EU personal data transferred to the United States. The U.S. government and European Commission developed the DPF in response to the decision by the Court of Justice of the European Union (CJEU) invalidating the Privacy Shield on July 16, 2020,1 in what is commonly known as the Schrems II decision.
While the DPF ostensibly provides employers with a less-burdensome alternative for legalizing trans-Atlantic data transfers, employers should evaluate how best to utilize the DPF within their existing cross-border data transfer compliance model. This article discusses five issues that employers should evaluate in determining how to make use of the DPF.
The DPF Provides Efficiencies over the EU’s Standard Contractual Clauses
For many multinational employers, HR Data is transferred to the United States pursuant to Standard Contractual Clauses (SCCs). Prior to June 2021, implementing SCCs was not a particularly onerous process; U.S. companies would list the categories of EU personal data that would be transferred to/accessed from the United States, identify the purposes for which the data would be used, and agree to handle the transferred data in accordance with the terms of the SCCs. That changed in June 2021, when the European Commission adopted a new, more arduous set of SCCs.2 In addition to now being required to provide significantly more information about the transfer and describe (and implement) technical and administrative safeguards for the transferred data, companies transferring data using SCCs must also perform a detailed “transfer impact assessment” of whether the laws and practices of the destination country prevent the data importer from fulfilling its obligations under the SCCs. The DPF allows companies to circumvent these taxing and resource-intensive compliance obligations.
To address the fundamental reason for the Privacy Shield’s invalidation, the Biden administration, as a component of the DPF, limited and further regulated access to EU personal data by U.S. signals intelligence activities, i.e., intercepting communications over communications networks, and created a new mechanism for EU residents alleging misconduct by U.S. government agencies in relation to EU personal data collected or handled through signals intelligence activities to obtain relief. The European Commission based its adequacy determination largely on these changes.3 As a result, a U.S. company’s compliance with the DPF Principles is enough to establish that the company is handling EU personal data in a manner consistent with EU data protection law. The exhaustive demonstrations, including transfer risk assessment, required by the SCCs are not needed. Companies that self-certify to the DPF therefore need to meet a much less onerous set of compliance requirements, which include, for example:
- Attesting (on an annual basis) that they will comply with the DPF Principles issued by the Department of Commerce;
- Publishing a privacy policy that complies with the DPF Principles;
- Providing an independent recourse mechanism that can be used to investigate complaints about the company’s non-compliance with the DPF Principles (applicable only to non-HR Data); and
- Agreeing to subject the company to the investigatory and enforcement powers of the Federal Trade Commission or the U.S. Department of Transportation.
For employers that may be in the process of establishing an entity in the EU, the DPF often will present the most efficient means by which to legitimize the transfer of data to the United States.
Employers that Maintained Their Privacy Shield Certification Can Immediately Enjoy the Benefits of the DPF But Will Need to Take Certain Steps to Ensure On-going Compliance
In the wake of Schrems II, the Commerce Department offered U.S. multinationals relying on the Privacy Shield the option to maintain their Privacy Shield certification to ensure continued protection for personal data previously transferred from the EU to the United States or to withdraw from Privacy Shield and rely on an alternative data transfer mechanism. Those multinationals that chose to retain their certification were required to submit an annual re-certification form, pay the annual fee, and continue to abide by their Privacy Shield Privacy Policy with respect to EU personal data previously transferred to the U.S. subject to the Privacy Shield. Multinational employers that took this option will be “grandfathered” into the DPF. This means that as of the DPF’s launch on July 17, 2023, they can transfer personal data from the EU to the United States in reliance on the DPF without taking any immediate compliance steps.
This grandfathering is possible because the DPF is virtually identical to the Privacy Shield from the perspective of U.S. multinational organizations. The only change for these organizations is cosmetic, i.e., the name change. Otherwise, the changes from Privacy Shield to DPF relate to the Commerce Department’s administration of the data transfer framework and the new limitations on signals intelligence and remedies that are available to EU residents alleging violations by U.S. government agencies in relation to their personal data transferred to the United States.
Despite the immediate “free pass,” grandfathered organizations still will need to take several steps to ensure they are in compliance with the DPF, including, for example:
- Revise Privacy Shield Privacy Policy: By October 10, 2023, grandfathered organizations must update their pre-existing Privacy Shield Privacy Policy by replacing all references to the “EU-U.S. Privacy Shield” with “EU-U.S. Data Privacy Framework.” In addition, if, after Schrems II, an organization added to its Privacy Shield Privacy Policy a statement explaining that the Privacy Shield Principles would be applied to previously transferred EU personal data but would not be used for transfers of EU personal data after Privacy Shield’s invalidation on July 16, 2020, that statement should be removed.
- Refresh Independent Dispute Resolution Mechanism: As a reminder, U.S.-based organizations that rely on the DPF to transfer the personal data of current and former EU employees must commit to cooperate in investigations by, and to comply with the advice of, competent EU data protection authorities in relation to complaints by EU residents alleging that the U.S. recipient violated their data rights. By contrast, for non-HR Data, these organizations must make available an independent dispute resolution mechanism in the United States. While the Commerce Department continued to send annual re-certification reminders to organizations certified to the Privacy Shield after Schrems II, the independent dispute resolution mechanism used for purposes of Privacy Shield compliance might not have done so. Consequently, organizations that will rely on DPF for transfers of non-HR Data should ensure that all fees and other requirements established by their independent dispute resolution mechanism have been satisfied and that the mechanism is available to resolve disputes.
- Enter Into Any Required Onward Transfer Agreements: To comply with Privacy Shield, organizations were required to enter into agreements with most third parties outside the EU that received “onward transfers” of EU personal data subject to that framework. Since Privacy Shield’s invalidation on July 16, 2020, certified organizations may have started to engage in onward transfers of EU personal data to new third parties but without executing new onward transfer agreements. Grandfathered organizations that will rely on the DPF for data transfers should, therefore, review their arrangements with onward transferees and determine whether they need to execute an onward transfer agreement that complies with the DPF.
- Recommence Annual Assessments: As under Privacy Shield, organizations certified to DPF must undergo an annual assessment — either by self-assessment or an independent third party — of their compliance with the framework’s principles. These assessments may have fallen by the wayside after July 16, 2020. As a result, grandfathered organizations that will rely on DPF should check the anniversary data of their annual certification and ensure that they complete their annual assessment before that date.
The DPF Will Facilitate Contracting with Service Providers that Handle EU Personal Data
U.S.-based multinational employers frequently rely on U.S.-based cloud service providers (CSPs), such an HRIS platform provider, to centralize and manage HR Data. After the Privacy Shield’s invalidation, these organizations generally had no choice but to execute controller-to-processor SCCs between their EU subsidiaries and their U.S.-based CSPs (as well as other U.S.-based vendors) to legitimize the cross-border transfers of HR Data. Attendant to this reliance on SCCs was the requirement to conduct a transfer risk assessment risk on each relevant vendor; to negotiate over the administrative, technical, and physical safeguards that must be listed in an annex to the SCCs; and to develop the details of the data transfers that must be described in a separate annex to the SCCs. For U.S. multinational employers that relied on a large number of U.S.-based CSPs and other vendors, these requirements often demanded significant resources.
These employers will be able to avoid the burdens attendant to the SCCs with respect to the U.S.-based vendors that are grandfathered into the DPF or that choose to certify to the DPF. As explained above, the DPF is an alternative data transfer mechanism to the SCCs; consequently, these multinational employers will be able to transfer HR Data directly from their EU subsidiaries to these vendors without taking any steps to address cross-border data transfer from the EU to the United States other than to confirm that the vendors are listed on the DPF list of certified entities maintained by the Commerce Department on the DPF website. However, these employers will still be required to comply with the GDPR’s requirement that every vendor acting as a data processor — whether located in the EU or elsewhere — must agree, by contract, to process the personal data of EU residents subject to the specific terms listed in the GDPR.
The DPF Will Shortly Facilitate Personal Data Transfers from the United Kingdom and Switzerland
When Schrems II was decided, the United Kingdom and Switzerland each had their own Privacy Shield Framework to allow data transfers to the United States. Shortly after Schrems II, the UK Information Commissioner (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) separately issued statements that their country’s framework no longer could be used to legitimize data transfers to the United States.
In its announcement of the EU-U.S. DPF, the Commerce Department also announced an upcoming “UK Extension” to the EU-U.S. DPF. This UK Extension appears to be the “data bridge” that U.K. Prime Minister Rishi Sunak and President Biden announced after their meeting in early June in the “Atlantic Declaration: A Framework for a Twenty-First Century U.S.-UK Economic Partnership.” As explained by the Commerce Department, organizations that are certified to the EU-U.S. DPF will be able to rely on the UK Extension after the effective date of the United Kingdom’s anticipated adequacy regulations implementing the UK Extension. These organizations will be required to also be certified to the EU-U.S. DPF and to commit to the UK Extension in their DPF self-certification.
The Commerce Department also explained that the Swiss-U.S. Data Privacy Framework would take effect on July 17, 2023. As with the EU-U.S. DPF, organizations that had remained certified the Swiss-U.S. Privacy Shield after Schrems II will automatically be grandfathered into the Swiss-U.S. DPF subject to the requirement that they revise their pre-existing Privacy Shield Privacy Policy to refer only to the Swiss-U.S. DPF. The deadline for that update is October 17, 2023.
Unlike the EU-U.S. DPF, however, organizations cannot immediately rely on the Swiss-U.S. DPF for data transfers from Switzerland to the United States. Instead, they must wait until the Swiss Federal Council issues its own adequacy determination for the Swiss-U.S. DPF. On July 11, 2023, the FDPIC issued a statement, describing discussions with the Commerce Department over the Swiss-U.S. DPF as “well advanced.” This statement also explained that as of September 1, 2023, the authority to issue an adequacy determination would shift from the FDPIC to the Federal Council. Taken together, these statements suggest that the Swiss-U.S. DPF will be deemed adequate relatively quickly after September 1, 2023, and organizations will be able to rely on the framework at that time for transfers of Swiss personal data to the United States.
Once the UK Extension and the Swiss-U.S. DPF can be used for cross-border data transfers from the UK and Switzerland, respectively, the DPF will provide a comprehensive mechanism for transfers of HR Data from Europe (broadly defined). Currently, U.S. multinational employers with employees in the UK and Switzerland are required to supplement their EU SCCs with an addendum for the UK and an addendum for Switzerland. After the anticipated adequacy determinations, each of these addendums will become unnecessary for organizations that rely exclusively on the DPF for transfers of HR Data between Europe and the United States.
The Framework is Very Likely to be Challenged
Max Schrems, the individual responsible for challenging (and obtaining the invalidation of) the Privacy Shield and its predecessor, the U.S.-EU Safe Harbor Framework, announced his plan to challenge the DPF prior to its implementation, stating, “We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’—but no substantial change in US surveillance law.”4 Only time will tell whether the new security restrictions offered and rights granted through the DPF are sufficient to withstand legal challenge. While any legal challenges are ongoing, the DPF will remain a viable transfer mechanism. In the past, rulings invalidating prior data transfer mechanisms have come between two and four years after initial complaints were filed by Schrems. However, until the European Court of Justice is ultimately asked to review the DPF, U.S. multinational employers may be understandably hesitant to rely solely on the DPF.
The European Data Protection Board released updated guidance for each of the permissible transfer mechanisms (SCCs and binding corporate rules) in June 2021 and June 2023, respectively, in light of the Schrems II decision. U.S.-based organizations may wish to utilize a multi-level approach: become certified (or update their certifications) for the DPF, while also using SCCs or binding corporate rules. Particularly for those organizations that recently shifted to relying on one of these mechanisms, continuing to do so may provide much needed backup.
Conclusion
While the DPF may appear to those employers that certified to the Privacy Shield to be little more than a redo destined for the same outcome, the benefits of the DPF should not be ignored. Implementing SCCs or binding corporate rules is a time-consuming and complex process. The DPF offers employers a way to avoid the burden of implementing SCCs to facilitate intragroup flows of HR Data and when onboarding new vendors. The DPF is not a “one-size-fits-all” solution, however; for instance, employers that have implemented a comprehensive intragroup data transfer agreement to cover data transfers in addition to those between the EU and the United States may see limited utility in implementing the DPF. Employers that choose to self-certify to the DPF should determine how best to incorporate the benefits of this mechanism into the company’s existing cross-border data transfer system, while bearing in mind that a legal challenge may eventually appear on the horizon.
See Footnotes
1 The authors discussed the CJEU’s decision in the following article: EU’s Highest Court Upends Personal Data Transfers to the United States: Action Steps for U.S. Multinational Employers to Keep HR Data Transfers on Track, Littler Insight (July 20, 2020).
2 The authors discussed the new Standard Contractual Clauses in the following article: The European Union’s New Standardized Data Transfer Agreement: Implications for Multinational Employers, Littler Insight (June 9, 2021).
3 See Executive Order 14086, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, 87 Fed. Reg. 62283 (Oct. 14, 2022).
4 Noyb, European Commission gives EU-US data transfers a third round at CJEU, July 10, 2023, https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu.