The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S. companies under the EU-U.S. Data Privacy Framework (‘DPF’). The Commission’s decision already entered into force on July 10th, 2023, but companies are still navigating towards this new reality whose favorable winds depend more on the U.S. government than on the market. Meanwhile, the DPF is a safe bridge for EU companies transferring personal data to the U.S., although other solutions –such as the Standard Contractual Clauses– should not be automatically discarded.
What motivated this decision, and how long will it last?
The Commission mainly addressed the concerns on U.S. intelligence surveillance raised in the Schrems II judgment. However, President Biden’s administration flagships to persuade the Commission have aroused skepticism. On the one hand, U.S. intelligence bodies are now bound to the principles of proportionality and necessity. These principles are familiar to the EU, but their interpretation may differ within the U.S. legal system. On the other hand, the U.S. established the Data Protection Review Court to resolve complaints filed by EU individuals and rule remedies regarding access to personal data by U.S. national security authorities. However, the Data Protection Review Court may deem its decisions classified and not subject to public scrutiny.
Given the doubts raised, the adequacy decision is expected to be challenged in the future, making it less likely a permanent solution for transatlantic personal data transfers. The Commission ensured a periodic review of the decision, with the next one being in July 2024.
How does the DPF mechanism work?
In the U.S., the DPF program is administered by the International Trade Administration (‘ITA’) within the Department of Commerce and enables eligible U.S. companies to self-certify their compliance under the DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF.
U.S. companies interested in the program must self-certify to the ITA via the DPF website, publicly commit to comply with the DPF Principles and re-certify themselves annually. Although participation in the DPF program is voluntary, effective compliance is enforceable under U.S. law once companies commit to adhere to DPF Principles.
The public may access the ITA “Data Privacy Framework List”, wherein listed organizations make their data collection purpose available, privacy policies, dispute resolution methods –such as the privacy officer contact details and recourse mechanism–and other relevant information.
Reactions in the market: what do U.S. companies have in mind?
U.S. organizations deciding whether to participate or not in the program are analyzing if doing so will be commercially beneficial considering the EU personal data contained in their data flows. Also, companies are assessing whether they can implement continuous compliance methods, which include setting an effective complaint-handling process and paying a fee for the Binding Arbitration Mechanism.
Notably, U.S. organizations already registered under the EU-US Privacy Shield –for instance, Google, Amazon, and Cloudflare– were automatically transferred to the DPF program and are now listed in the “Data Privacy Framework List”. These companies are required to take action to comply with the DPF Principles by October 10, 2023. Otherwise, they might be listed as inactive. Measures to be taken include submitting new documents and statements to the authorities and adjusting their privacy policies.
In addition, companies are analyzing other solutions to the DPF program, such as the Standard Contractual Clauses (‘SCC’) and the Binding Corporate Rules (‘BCR’). As a result, the market has mixed reactions regarding implementing the DPF: (i) some companies are willing to favor the DPF over bespoke contracts, which take a long time to negotiate; (ii) other companies consider that even implementing DPF, the business partners may require additional contracts; thus DPF certification entails an unnecessary regulatory risk; (iii) other companies consider that they are willing to implement the DPF while keeping their existing contracts with their business partners.
A compass for EU companies with Transatlantic data flows
EU companies may navigate through these new waters considering the following issues:
- The Data Privacy Framework List is a transparent public registry to check whether a U.S. organization is actively participating in the program. Active U.S. organizations have made publicly available and accessible their most relevant data privacy-related information. However, listed U.S. companies are still updating their information by October 10, 2023.
- EU companies may verify whether a U.S. recipient has a DPF certification. When appropriate, EU companies must adjust their privacy policies to reflect the DPF properly and the relevant entries in their data processing register.
- The DPF is a clear advantage for U.S. companies, although other solutions like SCCs and BCRs should not be disregarded. For instance, following the criteria ruled in Schrems II judgment, the validity of SCCs would not be affected by an eventual invalidation of the DPF adequacy decision. Also, the DPF applies only to U.S. organizations, thus, SCCs may be appropriate in data transfers covering several jurisdictions. On the other hand, the DPF is likely to be preferred over SCCs for U.S. organizations receiving important volumes of personal data from clients in the EU, as this program simplifies the contracting process.
- The DPF makes it technically not necessary to conduct Transfer Impact Assessments (‘TIA’). However, TIAs will still be necessary for transfers not covered by the DPF, whether to the U.S. or other countries.