Following the adequacy decision, as outlined in our previous article, personal data may be transferred from the EU/EEA to companies in the US that are listed on the “Data Privacy Framework List“. The EDPB confirms in their information note that in these cases, there is no need to establish other transfer tools. Hence, if the data transfer is based on the EU-US Data Privacy Framework, it is no longer necessary to, for example, enter into EU Standard Contractual Clauses nor to establish effective supplementary measures.
Companies that were certified under the former US Privacy Shield, will as a main rule be certified and added to the list. To maintain certification under the new EU-US Data Privacy Framework however, the relevant companies must as soon as possible, and no later than three months from the adequacy decision (i.e. 10 October), update their privacy policies to include a commitment in accordance with the principles in the new EU-US Data Privacy Framework. All companies covered by the new framework must conduct an annual re-certification. Read more about the certification requirements here.
Transfers of personal data from EEA to recipients in the US that are not listed on the Data Privacy Framework List, cannot be done on the basis on the new framework. Further, the adequacy decision does not apply if the recipient in the US is a data processor using sub-processors that are not listed on the Data Privacy Framework List. For such data transfers, another transfer mechanism must be in place, for example either by entering into EU Standard Contractual Clauses or relying on Binding Corporate Rules (BCR) in accordance with Article 46 GDPR. In these cases, it must also be assessed whether there is a need for supplementary measures to establish an adequate level of protection og the transferred data.
As part of establishing the new EU-US Data Privacy Framework, safeguards have been put in place by the US Government in the area of national security related to accessing and using personal data transferred from EU/EEA. Worth noting is that these guarantees are relevant for all data transfers to the US and apply regardless of the choice of transfer mechanism. Accordingly, where the new framework does not apply and I context of assessing whether the chosen transfer mechanism (e.g. EU Standard Contractual Clauses or BCR) ensures an adequate protection, the businesses can rely on the European Commission’s analysis of US legislation and practice. In practice, this mean that it will be less demanding to document legitimate data transfers to the US, also where the data is transferred to companies not certified under the new EU-US Data Privacy Framework.
Based on the above, we recommend that all Norwegian businesses take the following actions, in relation to the new framework:
- Identify/update the overview of data importers in the US, i.e. parties who receive/have access to personal data
- Map all data importers (both data processors and sub-processors) that are listed in the Data Privacy Framework List
- Monitor that those data importers maintain its certification under the new EU-US Data Privacy Framework (alternatively, request a confirmation)
- Ensure to establish another transfer mechanism for data transfers to all data importers, including sub-processors, that are not listed on the Data Privacy Framework List, including assessing whether there is a need to establish supplementary measures considering also the European Commission’s analysis of US legislation and practice
- Update former assessments related to legitimate data transfers, based on the new framework.