If you have been doing business with entities in the European Union, chances are that you have struggled to figure out how to transfer data from the EU to the US without running afoul of the General Data Protection Regulation (GDPR). You are not alone. The EU and US have struggled to create “adequate” safeguards for the transfer of personal data since 2000.
The first set of guidelines, the Safe Harbor Privacy Principles, was adopted in 2000. However, a legal challenge was brought, and, in 2015, the guidelines were invalidated. In 2016, the EU-US Privacy Shield Framework was unveiled. In 2020, privacy activists persuaded the Court of Justice of the European Union to invalidate this framework as well.
After several years of waiting, on July 10, 2023, the European Commission issued its third set of guidelines – the EU-US Data Privacy Framework (DPF). The Department of Commerce has created a website for US companies to self-certify compliance with the DPF. To be considered in compliance, US companies are required to:
• inform individuals of their rights under the DPF
• create a dispute resolution process for addressing data subject complaints
• cooperate with the Department of Commerce’s International Trade Administration
• maintain data integrity and limit collection based on the purpose of collection
• ensure accountability for data transferred to third parties, including entering into a data processing agreement with the third parties
• publicly share DPF compliance or assessment reports following an FTC or court order of non-compliance
• commit to apply DPF principles to data collected while participating in the framework, even if the company later leaves the DPF program
Only companies who have self-certified through the US Department of Commerce that they are compliant with the DPF may rely on the framework’s provisions when transferring data from the EU to the US. Companies that self-certified under the former Privacy Shield program have the option of re-certifying under the DPF or withdrawing.
Companies that do not self-certify under the DPF must rely on alternate mechanisms, such as robust standard contractual clauses, to transfer personal data outside the European Economic Area. Small and medium-sized businesses may find self-certifying less cumbersome than the alternative; however, there are burdens and benefits to both approaches.
When deciding how to proceed, it is important to note that both the EU company transferring personal data and the US company receiving personal data can be liable under the GDPR if adequate safeguards are not in place. Further, the Data Protection Review Court has the power to order companies to delete personal data that was collected in violation of the DPF’s adequacy safeguards.
Companies should also consider the possibility that the DPF will be overturned, like previous guidelines, because its protections are inadequate. Indeed, the first legal challenge to the DPF was filed on September 8, 2023.
The Buchalter privacy team can help you analyze the pros and cons of certifying, and complete the self-certification process. In the alternative, Buchalter can help implement or revise standard contractual clauses. For assistance, please contact a member of our privacy and cybersecurity team:
Frank Curci is a Shareholder in Buchalter’s Portland and Scottsdale offices and a member of the Firm’s Corporate Practice Group.
Christina Morgan is Of Counsel in the Firm’s San Diego office and a member of the Litigation and Privacy & Cybersecurity practice groups.
Leah Lively is a Shareholder in Buchalter’s Portland, San Diego, and Seattle offices and a member of the Labor & Employment practice.
Steven Nakasone expertise covers general corporate and business transactions with an emphasis on product distribution, branding, licensing, advertising, and promotion.
Akana Ma is a Shareholder in Buchalter’s Portland office and a member of the Firm’s Corporate Practice Group.
This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.