Considerations for Certifying Under the EU-U.S. Data Protection Framework (DPF)

Update: The Irish Data Protection Commission has ruled that the SCCs do not provide sufficient protection for the transfer of EU personal data to the US. Because of this ruling, we are hopeful that EU regulators will deem the DPF adequate for transatlantic personal data transfers by the October 2023 deadline. We expect that companies will need to use the DPF for transatlantic personal data transfers once it is deemed adequate. The timeline and potential advantages and disadvantages outlined in the article below will continue to be relevant, and companies should be aware as they weigh their options.

There has been a wave of data privacy legislation passed over the last decade, with various laws being passed in the European Union and across the states in the United States. In their latest effort, EU regulators are deciding whether the newly announced Trans-Atlantic Data Privacy Framework (DPF) will provide EU individuals’ personal data adequate protection when the personal data is stored in the United States. Data flows between the United States and Europe enable the $7.1 trillion U.S.-EU economic relationship and influence global economic growth. This decision impacts not only the large technology companies in the U.S. but all U.S. companies that trade within the EU. The European Commission is expected to release its adequacy decision in Spring 2023. 

If successful, the DPF would replace the now-defunct EU-U.S. Privacy Shield Framework (Privacy Shield Framework), simplifying the EU-U.S. data flows. However, whether or not to certify under the DPF is a decision that most businesses will have to make in the coming months. This article will provide an overview of changes to transatlantic personal data transfer mechanisms and break down the potential advantages and disadvantages of signing up for the DPF to assist business leaders when deciding whether their company should consider self-certifying under the DPF if it is deemed adequate by the EU regulators.

Overview of Changes to Transatlantic Personal Data Transfer Mechanisms

Due to the divergence between U.S. privacy laws and the extraterritorial applicability of the EU’s General Data Protection Regulation (GDPR), U.S.-based technology companies that also have operations in the EU and the U.S. are required to abide by the GDPR. The GDPR has some of the most stringent requirements related to handling an EU individual’s personal data by companies when the personal data is in the U.S. and other inadequate third-party countries.

The EU and U.S. governments have attempted to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the EU to the U.S. However, the effort has not been successful. These solutions, starting with the U.S-EU Safe Harbour Framework in 2000, followed by the Privacy Shield Framework in 2016, have consistently been struck down by the Court of Justice of the European Union (CJEU) and have been invalidated for not adequately protecting the privacy of EU individuals. The constant uncertainty and shifting requirements have led to increased costs for companies as they work to comply with the ever-changing laws and regulations.

The timeline below shows an overview of the changes to EU data protection laws as they pertain to transatlantic personal data transfers:

Currently, companies transferring personal data from the EU to the U.S. must comply with GDPR. Under GDPR, all EU companies that transfer data to the U.S. and to other countries whose privacy laws are not deemed to protect EU individuals’ personal data adequately must use appropriate safeguards in the form of transfer mechanisms. The most commonly used transfer mechanism is Standard Contractual Clauses (SCCs) in contracts, which makes such contracts substantially longer and lengthens the contract negotiation process. 

Companies must also conduct transfer impact assessments and agree to supplementary measures that further complicate commercial transactions and slow down deal velocity. The lack of legal certainty affects every U.S.-based company that sells its goods and/or services in the EU and every EU-based company that has a U.S. subsidiary or affiliate.

Should You Certify Under the Trans-Atlantic Data Privacy Framework (DPF)?

The DPF has received mixed reviews, with some EU regulators not wanting the European Commission to extend an adequacy decision to the U.S. At the same time, the European Data Protection Board welcomed what it called “substantial improvements.” 

The legal uncertainty surrounding the adequacy of the DPF as well as the constant invalidation of the various transfer mechanisms is not only bad for business but also affects companies’ bottom lines as they expend resources trying to figure out the best way to handle EU individuals’ personal data without violating the various laws. 

Companies should consider the pros and cons of certifying under the DPF. Business leaders should consider their risk appetite, revenue impact, and data flows. This is not a suggestion to certify or not to certify under the DPF. This is only a prompt to consider the issues that come with certifying or not certifying under the DPF. 

Potential Advantages of Certifying Under the DPF

1. Less time and resources spent negotiating contracts with EU-based customers. 

The time and resources spent adding SCCs to commercial contracts and negotiating them will decrease. The related costs of conducting transfer impact assessments and completing questionnaires to determine the risks related to the transatlantic personal data transfers will also decrease. The legal and technical resources and stakeholder collaboration needed for these activities will be significantly reduced. Compliance teams will only have to monitor the validity of the DPF. Deal velocity and cash flow will increase, subsequently improving profitability. 

2. Self-certification will be fairly straightforward since the DPF self-certification process is substantially similar to the prior Privacy Shield Framework self-certification process. 

Companies that are still Privacy Shield certified will not have to change many of their internal processes and procedures to remain certified under the DPF. Also, companies that are not yet certified but have a functioning privacy and security compliance program based on GDPR are closer to meeting the requirements for DPF certification since the DPF principles contain a set of commonly recognized privacy principles. This means that companies that already comply with the GDPR may not have difficulty meeting the DPF compliance requirements.

3. Completing transfer impact assessments will become easier 

For each new processing activity that involves data transfers to countries not deemed adequate by the European regulators, transfer impact assessments (TIAs) are now compulsory under EDPB Guidance on Supplementary Measures for data transfers, the June 2021 Standard Contractual Clauses (SCCs), and the Schrems II decision. A TIA allows for an examination of the specific data transfer as opposed to providing an objective assessment of data transfers to that third country. TIAs are usually in the form of questionnaires that rank the risk of a transfer based on the possibility that local authorities will be able to access EU personal data. Filling in such questionnaires is a time-consuming exercise. However, once a company certifies under the DPF, sections of TIAs will be easier to fill because importers of EU personal data can rely on the EU regulator’s adequacy decision regarding the DPF to prove that such transfers will be protected. 

Potential Disadvantages of Certifying Under the DPF 

1. The DPF is likely to be challenged in court and most likely invalidated as a result.

While there could be a short-term period of less work under the DPF, the prior frameworks were generally struck down within two to three years of being found adequate by the European Commission. Companies do not want to expend the effort for self-certification only to have the DPF invalidated again. Contracts must also be amended to add a valid transfer mechanism once the DPF is invalidated, therefore leading to a waste of resources and time. 

2. The expectation will be to continue to be accountable for the personal data transferred under the DPF, even if the DPF is invalidated. 

As happened with the now defunct Privacy Shield Framework, companies must recertify under the DPF to affirm to the Department of Commerce on an annual basis of their commitment to continue to apply the DPF Principles to the transferred data, even if it is invalidated. This is unless they can show that they have safely destroyed or returned the personal data that was transferred under the invalidated framework.

If the company would like to keep the transferred data, it would need to either affirm to the U.S. Department of Commerce its commitment to continue to apply the privacy principles to the transferred data or provide adequate protection for the transferred data by another authorized means like with SCCs.

Companies will always be held accountable for data transferred under the DPF, and  should bear this in mind before committing to the certification. Certification is a long-term commitment requiring more resources and time spent on the DPF framework, even post-invalidation of the DPF. 

3. Companies that export and import UK personal data will have to consider how their contracts change because UK data transfers will not be protected by the DPF.

The current UK Addendum is designed for use with the SCCs. Most companies that process UK individuals’ personal data use the UK Addendum in their contracts for transfers of data from the UK to an inadequate country. Therefore, if a company decides to replace the SCCs with the DPF, companies will have to consider how to deal with UK data transfers, including changes to their template contracts to accommodate such transfers. A possible solution would be to pivot to the use of the UK International Data Transfer Agreement as the transfer mechanism in contracts. 

Is Certifying Under DPF Worth the Effort?

This is a decision that each company needs to make in its best interest. For those weighing the options, the decision could come down to analyzing the time currently spent negotiating contracts and filling in transfer impact assessments and questionnaires. How much time and money would your company save if the SCCs, impact assessments, and questionnaires were removed from the contract negotiation process?

Current Requirement: Negotiating SCCs

• Example Calculation: (Time per negotiation in hours) x (Number of negotiations per year) x (Salary cost / 2000 hours)

Current Requirement: Sending questionnaires to customers

• Example Calculation: (Time sending and analyzing questionnaires in hours) x (Number of customers) x (Salary cost / 2000 hours)

Current Requirement: Sending questionnaires to vendors

• Example Calculation: (Time sending and analyzing questionnaires in hours) x (Number of vendors) x (Salary cost / 2000 hours)

Suppose the total cost for the current requirement is more than the projected cost for compliance and recertification. In that case, certifying under the DPF may be worthwhile for your company. Each company will need to make a decision based on their unique circumstances. 

Make a Collaborative Decision

Ultimately, whether or not to certify is a business decision that should consider the savings that come with certifying weighed against the risk that the DPF could be invalidated. Business leaders should also talk with Legal and Compliance teams to understand the different internal perspectives that should be considered while making this decision. Your company’s decision may depend on your size, industry, products, and customer opinions. However you decide, make sure you take a collaborative approach and weigh the pros and cons with consideration for the impacted business operations. Your decision could have a long-term impact on internal processes and on your reputation with your customers.