Data processed by U.S. suppliers
Data processed by U.S. suppliers
On July 10, 2023, the European Commission has adopted the decision on the adequacy of a new Data Privacy Framework between Europe and the United States, i.e. the regulation of a new framework for the transfer of personal data of European citizens to the United States, formerly known as Privacy Shield or Privacy Shield.
This important move represents a major step forward in the protection of personal data at the international level, since in July 2020, just 3 years ago, the Court of Justice of the European Union, in its judgment Facebook Ireland vs Schrems, declared null and void the Privacy Shield with the United States for the transfer of data, on the grounds that there was not an adequate level of protection in relation to the European legal framework on data protection, i.e., that it did not comply with the European Data Protection Regulation (EDPR).GDPR).
In the words of the President of the European Commission, Ursula von der Leyen:
“The new EU-US Data Privacy Framework will ensure Europeans the secure flow of their data and establish legal certainty for businesses on both sides of the Atlantic. Since I reached the agreement in principle with President Biden last year, the U.S. and the European The United States has made unprecedented commitments to establish the new framework. Today we are taking an important step to give citizens confidence that their data will be secure, to deepen the economic link between the EU and the US, and simultaneously to reaffirm our shared values. It demonstrates that, when we work together, we are capable of tackling the most complex issues. “.
Similarly, Didier Reynders, Commissioner in charge of Justice pointed out:
“The adoption of this adequacy decision is the latest step in ensuring security and freedom in the transatlantic transfer of data. It ensures the protection of individual rights in our intangible and interconnected digital world, where physical borders matter little anymore. Since the “Schrems II” ruling a few years ago, I have worked tirelessly with my US counterparts to address the reservations expressed by the Court of Justice and to ensure that technological development does not come at the expense of Europeans’ trust. As close partners with like-minded perspectives, the EU and the US have been able to find solutions, based on their shared values, that are in line with the law and practicable in their respective legal systems. “.
New developments in this new framework with the United States
First
U.S. companies that so choose must adhere to this new adequacy framework, called: Data Privacy Framework Listso that the transfer of personal data can be carried out in compliance with European regulations. Something that already happened in the past with the list of entities registered in the Privacy Shield.
Second
The system of guarantees for European citizens whose data is processed by U.S. companies has been strengthened, for example:
1- To delete personal data when they are no longer necessary for the purposes for which they were collected.
2- Ensure continuity of protection in case of sharing personal data with third parties.
3- New avenues of redress, with the possibility of obtaining an independent and free resolution.
4- Creation of a specific court to review decisions on the improper handling of European citizens’ personal data (Data Protection Review Tribunal).
Operation of the new matching framework with the United States
As far as we know, it will be the U.S . Department of Commerce that will receive and oversee applications for adherence to this new authorization framework.
On the other hand, the U.S . Federal Trade Commission will be in charge of supervising that companies comply with the obligations established in this framework.
European citizens will be able to file complaints in their home countries, written in their own language and submitted to the competent data protection authorities, which will be forwarded to the European Committee of Human Rights, which in turn will transmit them to the United States.
Once there, there is a new Civil Liberties Protection Officer within the U.S. intelligence community who will ensure compliance by U.S. intelligence agencies with privacy and fundamental rights.
If the decision of this Officer does not convince the data subject, the Data Protection Review Tribunal (a newly created body), which is independent in the issuance of its decisions, may be called upon to impose binding corrective measures.
Special mention of access by U.S. intelligence services
Access to personal data by U.S. intelligence services has been a highly controversial point, as provided in the Executive Order issued by President Biden “Enhancing Safeguards for U.S. Intelligence Activities” in October 2022.
The following safeguards are available to Europeans when personal data about them has been transferred to the United States:
1- Limitation of access to personal data by intelligence services, when necessary and proportionate to protect national security;
2- Increased supervision of the intelligence services’ surveillance activity
3- Creation of a Data Protection Review Tribunal to review cases in which intelligence services have had access to personal data.
Review of the adequacy framework
The first review of the efficiency of this new adequacy framework will take place one year after its entry into force, i.e. July 2024.
After this first review, and with prior agreements between Europe and the United States, the effectiveness of this framework may be reviewed at least every four years.
How should Spanish companies act?
First, Spanish companies must identify the geographic location where the providers will process the personal data under their responsibility and this location will be legally acceptable, as long as it is within the European Union (EU) or the European Economic Area (EEA). Before contracting the services, request this information from the provider. The most common American providers with which we usually work are: MailChimp, DropBox, Microsoft or Google, among many others.
If the provider processes the data in the United States, it is necessary to verify whether the provider has complied with the Data Privacy Framework List. A search can be performed on this website to verify this point.
In the event that the supplier is not included in this list of adhering companies, in order to comply with the RGPD we will have to agree with the supplier on standard contractual clauses, as established in article 46 of the RGPDso that the international transfer of such personal data has sufficient guarantees for the rights and freedoms of European citizens, the content of which will be in line with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries in accordance with Articles 28(1) and 46(2)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council.
Business Adapter® at your service
If you are a client and need the services of an American supplier, please contact your consultant for documentation and instructions.
If you are not yet a customer and need our help, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]