Taylor vick M5tzZtFCOfs unsplash
Photo by Taylor Vick
Premium

Guidelines for Data Transfers for Your Hospitality Business

By Richard Sheinis | August 1, 2023

On July 10, the European Commission adopted an adequacy decision on the EU-US Data Privacy Framework.  An adequacy decision is a mechanism under the GDPR to allow for the legal transfer of personal data from the EU to a third country.  A short review of the transfer of personal data from the EU to the US will assist in understanding the actual implications of this adequacy decision.

The GDPR requires that when personal data is transferred from the EU to a third country, the data receives the same level of protection as when the data is in the EU.  In order to ensure this level of protection, the GDPR provides a limited number of mechanisms under which such a transfer is legal.  One such mechanism is if the third country is the subject of an adequacy decision by the European Commission. An adequacy decision means that the laws of the third country provide the same level of protection for the data as the GDPR. However, there are only a small number of countries that are the subject of an adequacy decision. In the absence of an adequacy decision, the GDPR allows the data exporter (in the EU) and the data importer (in the third country) to enter into standard contractual clauses (SCC). An SCC is a form or template of conditions which the data exporter and data importer agreed to abide by so the personal data is adequately protected in the third country.

Several years ago, personal data could also be transferred from the EU to the US under the US Privacy Shield.  The Privacy Shield was a mechanism by which a data importer in the US could self certify that it would abide by certain data privacy conditions.  However, the Privacy Shield was struck down by the European Court of Justice on July 16, 2020.  Since that time, companies involved in the transfer of personal data from the EU to the US have primarily relied upon an SCC.  However, SCCs were then also found to be inadequate, and revised SCC were adopted in 2021. 

The latest adequacy decision on the EU-US Data Privacy Framework is a return to the days of the Privacy Shield and is not a true adequacy decision. Adequacy decisions for countries other than the US have stated that the laws in the respective third country are sufficient for the privacy and protection of personal data while in that country. Nothing further needs to be done for the transfer to the third country to be legal. For example, Canada is the subject of an EU adequacy decision.  When personal data is transferred from the EU to Canada, the data exporter and the data importer do not need to enter into any other agreement or take any further steps for the transfer to be legal under the GDPR.  The adequacy decision for the EU-US Data Privacy Framework is not quite as simple or straightforward.

In order for a company in the US to use this adequacy decision as a legal basis for the transfer of personal data from the EU to the US, the data importer in the US must also self-certify that it is compliant with the Data Privacy Framework.  The self-certification process, overseen by the US Department of Commerce, involves the data importer agreeing to comply with a detailed set of privacy obligations.  The framework differs from the aforementioned Privacy Shield largely based upon a Presidential Executive Order limiting access to data by US intelligence agencies, as well as providing new redress mechanisms for complaints regarding data access by these agencies. 

So where does this leave data importers or other entities in the US that collect personal data subject to the GDPR, and then transfer such data to another entity, such as a vendor, in the US.  Should a US based hotel or vendor that is subject to the GDPR self-certify under the EU-US Data Privacy Framework, or should they continue to rely on SCC for applicable data transfers? 

In some cases, the EU-US Data Privacy Framework self certification might be a worthwhile mechanism for vendors to demonstrate their data privacy compliance and make it easier for hoteliers to do business with them. Each vendor will have to assess from an expense and client relations standpoint whether self-certification is worthwhile. For most hoteliers the expense, and the potential that the Data Privacy Framework will be struck down, similar to what happened to the Privacy Shield, makes self certification an unattractive venture.  Continuing to rely on the SCC is more likely the most cost effective and efficient method for data transfer compliance.

Related Articles

Glenn carstens peters npxXWgQ33ZQ unsplash

Legal Tips with Richard Sheinis: Beware Using Dark Patterns

August 30, 2023
Nong 9pw4TKvT3po unsplash

How Experiential Storytelling on Social Media Can Boost Your Hospitality Business

October 17, 2023
Solen feyissa LBNJi8qHIbA unsplash

Don’t Just Capture Attention; Capture Emails

July 11, 2023
Office desk 6952919

The 4% Formula

May 28, 2024

Leave a Reply

Back to top button