On July 10, 2023, the European Commission adopted the long awaited and much debated adequacy decision approving the EU-U.S. Data Privacy Framework (EU-US DPF). The EU-US DPF purports to fill the vacuum left by the invalidation of the EU-US Privacy Shield in 2020 via the Scherms II decision. According to the European Commission’s press release, “The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework”. This means that personal data can flow freely from the EU to US companies participating in the EU-US DPF, without having to put in place additional data protection safeguards such as Standard Contractual Clauses (SCCs).

Since Schrems II, the US has adopted several safeguards via an Executive Order in October 2022 and an associated Regulation issued by the US Attorney General.  Now, the EU-US DPF creates a self-certification mechanism for data importers similar to the EU-US Privacy Shield. The official DPF self-certification website has been operational since 17 July 2023.

The EU-US DPF safeguards include restricting U.S. intelligence services' access to EU data to only what is necessary and proportionate and establishing a new redress procedure that is binding on US intelligence agencies (namely the Data Protection Review Court and the right to complain to the European Data Protection Board).

The intention is that small and medium-sized companies as well as large cloud and social media companies will reap the benefits from the EU-US DPF as it will eliminate the legal uncertainty behind transatlantic data transfers whilst offering a less costly and complex alternative to transfer mechanisms such as SCCs.

UK and Swiss self-certification under the DPF

As of 17 July 2023, organisations in the US may also self-certify under:

• the UK Extension to the EU-U.S. DPF (UK Extension), for transfers from the UK; and
• the Swiss-U.S. DPF Principles (Swiss-US DPF) mechanisms, for transfers from Switzerland.

Organisations can self-certify their compliance under either the EU-U.S. DPF and/or the Swiss-U.S. DPF independently of each other. However, organisations that wish to self-certify under the UK Extension must also do the same under the EU-U.S. DPF.

Importantly, personal data cannot be sent to the US from the United Kingdom or Gibraltar or from Switzerland in reliance on the two additional mechanisms before either the relevant UK adequacy regulations come into force, or the Swiss-US DPF is recognised as adequate by Swiss law.

What does this mean for data transfers to the US?

The EU-US DPF decision reshapes the regulatory landscape for transfers from Europe to the US so that, for the foreseeable future, there are two broad routes available to validate such transfers:  

• either importers take the adequacy route and self-certify under the EU-US DPF; or
• data exporters and data importers use the original appropriate safeguards route, i.e., implementation of an appropriate safeguard such as SCCs or BCRs.

Should you take the DPF adequacy route?

At first glance, self-certifying under the EU-US DPF appears to be a far less burdensome option because importers can certify as an entity, and not in relation to specific transfers. However, the EU-US DPF should not be viewed as a straightforward tick box exercise. Organisations must carefully consider whether they can confidently and practically demonstrate their compliance with the DPF principles. Another downside is that a DPF certification opens your privacy programme up to scrutiny from the US Federal Trade Commission (FTC), which carries out very active and comprehensive audits.

Additionally, some concerns have been raised in the privacy space, such as Max Schrems’ organisation, NOYB, challenging the DPF on the basis that it is essentially a copy of the now defunct Privacy Shield and therefore still has significant surveillance shortcomings. NOYB have stated that they will challenge this decision at the European Court of Justice. Based on experience, there appears to be at least a chance that the DPF might be overruled at the ECJ.

Further, there is also the ability of the European Commission to suspend the EU-US DPF itself if the US does not meet its commitments.

Given the scope for regulatory uncertainty, the DPF may not be quite the silver bullet that organisations navigating the complexities of trans-Atlantic data flows had hoped for.

With that in mind, organisations might consider taking a belt and braces approach by certifying under the DPF and also implementing appropriate safeguards to ensure that data transfers can continue uninterrupted in the event the DPF is invalidated. As a minimum, contracts should include a provision outlining what will happen if the DPF (or any other transfer safeguard is invalidated).

What about continuing to rely on appropriate safeguards?

Relying on the already established Art. 46 transfer safeguards should not be discounted as the EU-US DPF actually ensures that certain protections afforded by the Framework extend to all exporter organisations no matter which transfer safeguard they rely on.

Additionally, many organisations have already made significant investments in processes since Schrems II such as reviewing and updating the contractual framework that underpins their organisations’ data flows and performing TIAs for the non-adequate jurisdictions where they transfer personal data. Appropriate safeguards and the need to perform TIAs will also continue to apply to transfers to all other non-adequate jurisdictions apart from the US so organisations that already have these processes in place may not wish to deviate from these for one single jurisdiction.

It may therefore make sense to maintain the already established appropriate safeguards in the current uncertain landscape.

Where does this leave Transfer Impact Assessments (TIAs)?

For organisations that still want to rely on SCCs or BCRs, due to the overarching protections mentioned above, the inherent protections negotiated as part of the DPF deal will decrease the risk profile of US data transfers and make the TIA process for transfers to the US a lighter exercise.  (This of course may be a temporary relief for organisations depending on the fate of the DPF in the next months or years if it does get challenged at the ECJ).

Even if the EU-US DPT is relied on, there is an argument that there is still a place for TIAs, or at least implementing supplementary measures to counter the prevailing risk of US government surveillance by means of privacy enhancing technologies (PETs), for example. 

How can our team help?

Data privacy and personal data transfers in particular are fast moving areas which require constant calibration to new changes. Now is the time to strengthen your processes and build a compliance programme that will stay afloat regardless of regulatory uncertainty. Our legal data privacy team has extensive experience in dealing with new developments in an ever-changing landscape.

We can provide end-to-end legal support with data transfers, including:

• analysing your data transfer landscape for specific tools, types of data or across the board, and developing a compliance action plan;
• advising on the implementation of appropriate safeguards for transfers to both third parties and group companies;
• drafting complex intra-group data transfer agreements;
• providing you with an automated TIA solution that captures the information required to be included in a TIA and provides a risk rating. This enables you to carry out and document TIAs in a structured, accountable, and cost-effective way. Our tool overlays assessments of the law and practices of 65+ jurisdictions and helps you establish which aspects of your transfers are compliant and where changes should be made, allowing issues to be addressed pre-transfer (or moving forward);
• helping you assess the current level of compliance of your privacy programme and therefore whether it makes sense to self-certify under the EU-US DPF; and
• validating EU-US DPF certifications for your supply chain.

For more information or to discuss the above, please contact Cavan Fabris, Katherine Eyres or Anca Serban.

Content from the Deloitte Legal blog can now be sent direct to your inbox. Choose the topic and frequency by subscribing here.