The Data Privacy Framework: the Practical Implications for Trans-Atlantic Data Transfers
The European Commission has finally adopted a new framework for trans-Atlantic data transfers known as the EU-U.S. Data Privacy Framework (DPF). This framework replaces the Privacy Shield, which, in turn, replaced the Safe Harbor. Both Safe Harbor and Privacy Shield were invalidated by the European Court of Justice in 2015 and 2020, respectively, due to concerns about potential bulk surveillance of personal data of EU data subjects transferred to the US and the absence of an equivalent level of data protection in the US. As companies and organizations navigate this new landscape, it is important to understand the practical implications and relevant steps to ensure data protection compliance.
For businesses and organizations planning new transfers of personal data from the European Economic Area (EEA) to the US, the following steps are essential:
- Before the transfer takes place, verify on the DPF website whether the US recipients are certified by the DPF.
If the transfer is indeed covered by the DPF:
- make sure that the relevant data protection agreements (for instance a data processing agreement) reflect that the DPF applies to the data transfer to ensure an adequate level of data protection in accordance with the GDPR;
- carrying out a data transfer impact assessment (DTIA) is not required since the adequacy decision deems the recipient country’s laws to provide a sufficient level of data protection (so long as the decision is not withdrawn by the European Commission, or invalidated by the EU Court);
- considering the DPF is already subject to heavy scrutiny and may therefore – like both its predecessors – be invalidated in a few years, it is advisable to include a fall back alternative data transfer instrument in the agreement, such as the Standard Contractual Clauses (SCC). This is especially advisable if the transfer does not concern a one-of or short-term data transfer. If an alternative is also included, then it is wise to include a clear order and scope of applicability whereby the highest level of data protection is offered.
If the transfer is not (fully) covered by the DPF:
- Then an alternative data transfer instrument should be implemented, such as concluding the SCC.
- It may be advisable to include an arrangement in the existing agreement in the event that the US recipient does become DPF certified.
- It is still required to perform a DTIA before the data transfer takes place. However, it may be possible to leverage the European Commission’s reasoning in its DPF adequacy decision. In other words, the additional safeguards implemented by the US, which led the European Commission to consider transfers under the DPF as providing an adequate level of data protection, also extend to all other data transfers from the EU to the US. Therefore, the additional safeguards implemented by the US can be referred to as a basis for alternative data transfer instruments besides the DPF.
For existing data transfers from the EEA to the US based on data transfer instruments other than the DPF, the following actions are recommended:
- Check whether the DTIA should be updated, taking into account the additional safeguards implemented by the US for all data transfers and the reasoning of the European Commission in its adequacy decision;
- Especially if the agreement is being renewed, check whether the recipients in the US are DPF certified. If they are, please refer to the relevant actions above under new data transfers. Please note that it may be advisable to keep the alternative data transfer instrument used in place given the uncertain future of the DPF
Furthermore, if you intend to rely on the DPF for data transfers, make sure to include this information in your privacy notice in accordance with Articles 13(1)(e) and 14(1)(f) of the GDPR. US data importers seeking to benefit from the safeguards of the DPF should self-certify under the DPF and comply with its principles, which should be reflected in their privacy notices within three months from the DPF’s effective date.
Lastly, your data processing register may also need to be updated depending on (changes) in the instruments used for the transfer of personal data.
If you have any questions or require assistance in implementing the above, please contact the Privacy & Data Team of Van Doorne.