dpf-blogpost-bg-image

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S. companies under the EU-U.S. Data Privacy Framework (‘DPF’). The Commission’s decision already entered into force on July 10th, 2023, but companies are still navigating towards this new reality whose favorable winds depend more on the U.S. government than on the market. Meanwhile, the DPF is a safe bridge for EU companies transferring personal data to the U.S., although other solutions –such as the Standard Contractual Clauses– should not be automatically discarded.

What motivated this decision, and how long will it last?

The Commission mainly addressed the concerns on U.S. intelligence surveillance raised in the Schrems II judgment. However, President Biden’s administration flagships to persuade the Commission have aroused skepticism. On the one hand, U.S. intelligence bodies are now bound to the principles of proportionality and necessity. These principles are familiar to the EU, but their interpretation may differ within the U.S. legal system. On the other hand, the U.S. established the Data Protection Review Court to resolve complaints filed by EU individuals and rule remedies regarding access to personal data by U.S. national security authorities. However, the Data Protection Review Court may deem its decisions classified and not subject to public scrutiny.

Given the doubts raised, the adequacy decision is expected to be challenged in the future, making it less likely a permanent solution for transatlantic personal data transfers. The Commission ensured a periodic review of the decision, with the next one being in July 2024.

How does the DPF mechanism work?

In the U.S., the DPF program is administered by the International Trade Administration (‘ITA’) within the Department of Commerce and enables eligible U.S. companies to self-certify their compliance under the DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF.

U.S. companies interested in the program must self-certify to the ITA via the DPF website, publicly commit to comply with the DPF Principles and re-certify themselves annually. Although participation in the DPF program is voluntary, effective compliance is enforceable under U.S. law once companies commit to adhere to DPF Principles.

The public may access the ITA “Data Privacy Framework List”, wherein listed organizations make their data collection purpose available, privacy policies, dispute resolution methods –such as the privacy officer contact details and recourse mechanism–and other relevant information.

Reactions in the market: what do U.S. companies have in mind?

U.S. organizations deciding whether to participate or not in the program are analyzing if doing so will be commercially beneficial considering the EU personal data contained in their data flows. Also, companies are assessing whether they can implement continuous compliance methods, which include setting an effective complaint-handling process and paying a fee for the Binding Arbitration Mechanism.

Notably, U.S. organizations already registered under the EU-US Privacy Shield –for instance, Google, Amazon, and Cloudflare– were automatically transferred to the DPF program and are now listed in the “Data Privacy Framework List”. These companies are required to take action to comply with the DPF Principles by October 10, 2023. Otherwise, they might be listed as inactive. Measures to be taken include submitting new documents and statements to the authorities and adjusting their privacy policies.

In addition, companies are analyzing other solutions to the DPF program, such as the Standard Contractual Clauses (‘SCC’) and the Binding Corporate Rules (‘BCR’). As a result, the market has mixed reactions regarding implementing the DPF: (i) some companies are willing to favor the DPF over bespoke contracts, which take a long time to negotiate; (ii) other companies consider that even implementing DPF, the business partners may require additional contracts; thus DPF certification entails an unnecessary regulatory risk; (iii) other companies consider that they are willing to implement the DPF while keeping their existing contracts with their business partners.

A compass for EU companies with Transatlantic data flows

EU companies may navigate through these new waters considering the following issues:

  • The Data Privacy Framework List is a transparent public registry to check whether a U.S. organization is actively participating in the program. Active U.S. organizations have made publicly available and accessible their most relevant data privacy-related information. However, listed U.S. companies are still updating their information by October 10, 2023.
  • EU companies may verify whether a U.S. recipient has a DPF certification. When appropriate, EU companies must adjust their privacy policies to reflect the DPF properly and the relevant entries in their data processing register.
  • The DPF is a clear advantage for U.S. companies, although other solutions like SCCs and BCRs should not be disregarded. For instance, following the criteria ruled in Schrems II judgment, the validity of SCCs would not be affected by an eventual invalidation of the DPF adequacy decision. Also, the DPF applies only to U.S. organizations, thus, SCCs may be appropriate in data transfers covering several jurisdictions. On the other hand, the DPF is likely to be preferred over SCCs for U.S. organizations receiving important volumes of personal data from clients in the EU, as this program simplifies the contracting process.
  • The DPF makes it technically not necessary to conduct Transfer Impact Assessments (‘TIA’). However, TIAs will still be necessary for transfers not covered by the DPF, whether to the U.S. or other countries.

 

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
How to Avoid ICO Fines: Lessons from Recent GDPR Spam Text Penalties

How to Avoid ICO Fines: Lessons from Recent GDPR Spam Text Penalties

Lessons for Legal Teams: Avoiding Costly Mistakes in Data Privacy Compliance Data privacy is no longer a secondary concern for...
Privacy Rights and it’s Challenges – 6 Years of GDPR

Privacy Rights and it’s Challenges – 6 Years of GDPR

Six years since GDPR came into force, the promise of stronger data protection is being undermined by the rise of...
Staying Ahead of GDPR Compliance: Lessons from LinkedIn’s €310 Million Fine

Staying Ahead of GDPR Compliance: Lessons from LinkedIn’s €310 Million Fine

LinkedIn Ireland was recently fined a record-breaking €310 million by the Irish Data Protection Commission for GDPR violations, underscoring the...
Preparing Your Small Business for GDPR Compliance

Preparing Your Small Business for GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union law that protects the privacy and personal data of individuals...
The GDPR Data Map – Your Complete Guide

The GDPR Data Map – Your Complete Guide

The General Data Protection Regulation (GDPR) is a European regulation establishing the framework for personal data protection of individuals in...
GDPR in Healthcare: Compliance Guide

GDPR in Healthcare: Compliance Guide

Since General Data Protection Regulation (GDPR) entered into force, the personal data protection has become more challenging to the Healthcare...
GDPR software: 10 Great Tools For Compliance in 2024

GDPR software: 10 Great Tools For Compliance in 2024

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
The lawful basis for Data Processing under the GDPR

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6...
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...