UK Extension to the EU-U.S. Data Privacy Framework

What is the UK Extension to the EU-U.S. Data Privacy Framework ?

The UK Extension to the EU-U.S. Data Privacy Framework is designed to simplify data transfers from the United Kingdom (UK) to the United States (U.S.).

The Government of the United Kingdom declared the U.S. as an adequate State with an adequacy decision, but only for the organizations certified under the Framework. An adequacy decision means that the Government has determined that, under the conditions of the Framework, British data receives an equivalent level of data protection in the US as it does in the UK. The extension is as the name indicates an extension of the EU-U.S. DPF. The text of the EU-U.S. DPF is applied for the data transfers. The certified organizations must the EU-U.S. DPF Principles to guarantee an adequate level of protection.

If such as framework is used, additional safeguards don’t have to be implemented for data transfers to these certified organizations, as a certain level of data protection is guaranteed. If a country, to which data is transferred, isn’t deemed adequate, additional safeguards such as the Standard Contractual Clauses (SCCs) must be implanted. This is the case for data transfers to U.S. organizations that are not certified.

What are the EU-U.S. Data Privacy Framework Principles?

The EU-U.S. Data Privacy Framework Principles are also referred to as the Principles. Seven such Principles are described in the Framework:

-       Notice: individuals must be informed through a notice about certain information such as their rights, the organization’s participation in the Framework, the types of data collected about them…

-       Choice: Individuals must have the opportunity to decide whether their data should be disclosed to a third party or used for a significantly different purpose than originally collected or subsequently authorized by them.

-       Accountability for onward transfer: this pertains to data transfers to third parties, and a contract must be established that complies with specific requirements.

-       Security: reasonable and appropriate measures must be taken to protect the data.

-       Data integrity and reasonable limitation: this principle aligns with the data minimization and data accuracy principles of the UK General Data Protection Regulation.

-       Access: individuals must be guaranteed their rights of access, of rectification and to erasure.

-       Recourse, enforcement and liability: mechanism must be established to guarantee compliance with the principles and to guarantee recourse for individuals affected by non-compliance with the Principles.

The Framework also describes Supplementary Principles related to themes such as sensitive data, human resources data, pharmaceutical and medical products. These Supplementary Principles use the seven Principles and apply them to specific themes.

The Scope of the Framework

Who is affected?

U.S. organizations must self-certify to comply with the EU-U.S. Data Privacy Framework (DPF). To maintain their adherence to the Framework, these organizations are required to periodically re-certify themselves. However, not all companies are qualified for this self-certification process. Only those under the jurisdiction of the Federal Trade Commission (FTC) or the U.S. Department of Transportation are eligible to participate.

Eligible organizations have the discretion to choose whether to comply with the Framework. Nonetheless, once they decide to adhere, abiding by the Principles is obligatory. Furthermore, organizations that opt for self-certification are required to publicly affirm their commitment to the Principles, such as by displaying it on their website.

EU entities have the option to engage with certified U.S. organizations under the Framework. While these EU organizations are not obligated to undertake additional steps, the Framework is applicable only if the U.S. organization holds certification under the Framework.

How to know if an U.S. organization is certified?

The Data Privacy Framework List indicates the organizations that are currently active participants in the Framework, as well as those that are inactive. It is available online and is maintained by the U.S. Department of Commerce.

Organizations that withdraw from the Framework or who failed to complete their annual re-certification are removed from the list. The data collected by those organizations on the basis of the Framework will have to be handled specifically. Three methods can be used. One method is for organizations to annually reaffirm their commitment to the Principles and apply them to the data. They can also use additional safeguards, such as the SCCs. The organizations can also return or delete the data.

If organizations repeatedly fail to adhere to the Principles, the U.S. Department of Commerce has the authority to exclude them from the list. In such instances, these organizations are left with no alternative but to either return or destroy the data they acquired under the Framework.

What can be transferred?

Personal data can be transferred from EU organizations to U.S. certified organizations. Personal data is defined in the text as: "data about an identified or identifiable individual that are within the scope of the GDPR, received by an organization in the United States from the EU, and recorded in any form."

Key provisions specific to Life Science companies

Key-coded data, also known as pseudonymized research data, falls under the EU-U.S. Data Privacy Framework (DPF), including instances where the sponsor receives such data without the key to re-identify individuals. Sensitive data, encompassing health, biometric, and genetic information, is also covered by the framework.

In clinical trials, participants must receive a notice as per the notice principle. This notice must detail the processing and transfer of data, including information on potential future uses. If future uses are predetermined, they should be explicitly stated. If not, the notice must mention that personal data might be used for unforeseen medical and pharmaceutical research. If data use deviates from the original research purposes or from what the individual has consented to, new consent is required.

For data transfers to third parties, a data processing agreement ensuring protection equivalent to the Framework's Principles is necessary. Such transfers are only permitted for specific, limited purposes.

Regarding withdrawal from a clinical trial, any data collected prior to withdrawal can still be used with other trial data, provided this was clearly communicated in the notice at the time of consent.

Participants in blinded studies must be informed and consent to the restricted access to their treatment data. Access to their individual data will be granted only after the trial's conclusion and result analysis upon request.

How can an U.S. organization self-certify?

U.S.-based organizations submit their self-certification to the U.S. Department of Commerce’s International Trade Administration (ITA). The organizations must initially self-certify and then annually re-certify to the ITA that they adhere to the DPF Principles.

If the self-certification submission is complete, the ITA will publish the organization’s name on the DPF List. Once the organization’s name appears on the list, the organization can benefit from the Framework.

The initial step in self-certification involves establishing a privacy policy that aligns with the DPF principles. This policy should detail the organization's information handling practices, address individual rights, and specify the selected independent recourse mechanisms. It must be crafted in accordance with the Notice Principle of the DPF and explicitly state adherence to the DPF Principles. Additionally, the policy should include a link to the DPF website. Importantly, this privacy policy must be active before self-certification.

The self-certification submission needs to accurately indicate where the privacy policy is accessible. It must be publicly available; if the organization has a website, the policy should be posted there, and the website address should be provided during submission. In cases where the organization does not have a website, they must provide the ITA with a copy of the privacy policy and explain how affected individuals can access it.

Organizations are also required to have a verification mechanism to ensure adherence to the DPF Principles. This can be achieved either through internal self-assessment or external compliance reviews.

Furthermore, if an organization intends to use the Framework for transferring human resources data from the EU, particularly in employment contexts, it must inform the Department of this intention.

The variants of the Data Privacy Framework for data transfers

Besides the EU-U.S. Data Privacy Framework, there are two additional frameworks that enable data transfers without extra safeguards. UK organizations seeking to transfer data to DPF-certified U.S. entities can utilize the UK extension. Similarly, the Swiss-U.S. Data Privacy Framework allows Swiss organizations to transfer data to certified U.S. organizations.

How much does it cost?

Two types of fees must be paid to complete the self-certification process. Firstly, the organization must pay the DPF arbitral fund fee. Secondly, an annual fee must be paid for the certification or re-certification process. The cost depends on whether the organization adheres to only one framework or both frameworks.

What happens if there is a complaint?

Individuals in the EU with queries or issues should first approach the certified organization directly. In case there's no response from the organization within 45 days, they can escalate their complaint to the organization's chosen independent recourse mechanism. If this does not resolve the issue, they may have the option to seek binding arbitration. Furthermore, they always have the right to file a complaint with their local data protection authority.

What are the differences between Standard Contractual Clauses (SCCs) and the DPF?

SCCs are tools created by the European Commission to serve as additional safeguards for data transfers in relation with article 46 of the General Data Protection Regulation (GDPR).

Even if SCCs or the Framework are used, a Data Processing Agreement must be concluded. Some principles and clauses of the SCCs and of the Framework are similar. However there ends the similarity.

SCCs can be used for transfers from the EU to any type of U.S. organizations. The Framework can only be used for transfers to certified U.S. organizations.

If a dispute arises, in the case of SCCs, the organizations have to submit to the jurisdiction of a court in a Member State and be subject to the laws of a Member State within the EU. In the context of the Framework, U.S. authorities are competent.

SCCs have to be attached to each data transfer agreement. The right module has to be chosen, as well as the options of the clauses. The Framework doesn’t have to be incorporated, simply mentioned, however the U.S. organization must still be certified.

The SCCs sometimes have to be completed by supplementary measures depending on the result of a Data Privacy Impact Assessment. They also must be updated for every change in the data transfer. The DPF on the other side is simply a mention, it is applicable for every change and supplementary measures theoretically don’t have to be added.

The SCCs are published by the Commission of the European Commission and are always valid. The DPF is to be reviewed in July 2024. If the review concludes that the DPF doesn’t protect adequately EU data, this would mean that additional safeguards such as SCCs must be implanted. On the other hand, if the DPF is deemed adequate, it will continue to apply without changes, and a new review will be conducted in July 2028, four years after the initial review.

How does it relate to HIPAA?

The Framework is not the same as HIPAA, they are different regulations. They don’t have the same purpose and the exact same requirements. However, some requirements may be similar, and both insist on the right of access of the individuals.

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified