There has been a wave of data privacy legislation passed over the last decade, with various laws being passed in the European Union and across the states in the United States. In their latest effort, EU regulators have found that the Trans-Atlantic Data Privacy Framework (DPF) will provide EU individuals’ personal data adequate protection when the personal data is stored in the United States. Data flows between the United States and Europe enable the $7.1 trillion U.S.-EU economic relationship and influence global economic growth. This decision impacts not only the large technology companies in the U.S. but all U.S. companies that trade within the EU.
The DPF replaces the now-defunct EU-U.S. Privacy Shield Framework (Privacy Shield Framework), simplifying the EU-U.S. data flows. However, whether or not to certify under the DPF is a decision that most businesses will have to make in the coming months. This article will provide an overview of changes to transatlantic personal data transfer mechanisms and break down the potential advantages and disadvantages of signing up for the DPF to assist business leaders when deciding whether their company should consider self-certifying under the DPF that has now been deemed adequate by the EU regulators.
Overview of Changes to Transatlantic Personal Data Transfer Mechanisms
Due to the divergence between U.S. privacy laws and the extraterritorial applicability of the EU’s General Data Protection Regulation (GDPR), U.S.-based technology companies that also have operations in the EU and the U.S. are required to abide by the GDPR. The GDPR has some of the most stringent requirements related to handling an EU individual’s personal data by companies when the personal data is in the U.S. and other inadequate third-party countries. The EU and U.S. governments have attempted to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the EU to the U.S. However, the effort has not been successful. These solutions, starting with the U.S-EU Safe Harbour Framework in 2000, followed by the Privacy Shield Framework in 2016, have consistently been struck down by the Court of Justice of the European Union (CJEU) and have been invalidated for not adequately protecting the privacy of EU individuals. The constant uncertainty and shifting requirements have led to increased costs for companies as they work to comply with the ever-changing laws and regulations.
Currently, companies transferring personal data from the EU to the U.S. must comply with GDPR. Under GDPR, all EU companies that transfer data to the U.S. and to other countries whose privacy laws are not deemed to protect EU individuals’ personal data adequately must use appropriate safeguards in the form of transfer mechanisms. The most commonly used transfer mechanism is Standard Contractual Clauses (SCCs) in contracts, which makes such contracts substantially longer and lengthens the contract negotiation process.
Companies must also conduct transfer impact assessments and agree to supplementary measures that further complicate commercial transactions and slow down deal velocity. The lack of legal certainty affects every U.S.-based company that sells its goods and/or services in the EU and every EU-based company that has a U.S. subsidiary or affiliate.
Should You Certify Under the Trans-Atlantic Data Privacy Framework (DPF)?
While the DPF had received mixed reviews, with some EU regulators not wanting the European Commission to extend an adequacy decision to the U.S., the final decision to allow the transfer of EU personal data to the U.S. through the DPF provides companies with a critically important efficient process for the transfer of personal information.
The approval of the framework ends a time of legal uncertainty surrounding the adequacy of the DPF. This move is good for business, as it provides an efficient option for transatlantic EU personal data transfers without violating the various laws.
Companies should consider the pros and cons of certifying under the DPF. Business leaders should consider their risk appetite, revenue impact, and data flows. This is not a suggestion to certify or not to certify under the DPF. This is only a prompt to consider the issues that come with certifying or not certifying under the DPF.
Potential Advantages of Certifying Under the DPF
Less time and resources are spent negotiating contracts with EU-based customers.
The time and resources spent adding SCCs to commercial contracts and negotiating them will decrease. The related costs of conducting transfer impact assessments and completing questionnaires to determine the risks related to transatlantic personal data transfers will also decrease. The legal and technical resources and stakeholder collaboration needed for these activities will be significantly reduced. Compliance teams will only have to monitor the validity of the DPF. Deal velocity and cash flow will increase, subsequently improving profitability.
Self-certification will be fairly straightforward since the DPF self-certification process is substantially similar to the prior Privacy Shield Framework self-certification process.
Companies that are still Privacy Shield certified will not have to change many of their internal processes and procedures to remain certified under the DPF. The only requirement for U.S. companies that are still active participants in Privacy Shield is to ensure that they have an updated privacy notice by October 10, 2023. Companies that are not yet certified but have a functioning privacy and security compliance program based on GDPR are closer to meeting the requirements for DPF certification since the DPF principles contain a set of commonly recognized privacy principles. This means that companies that already comply with the GDPR may not have difficulty meeting the DPF compliance requirements.
Completing transfer impact assessments will become easier
For each new processing activity that involves data transfers to countries not deemed adequate by the European regulators, transfer impact assessments (TIAs) are compulsory according to the Schrems II judgment and as prescribed by the EDPB Guidance on Supplementary Measures for data transfers. This is when using the June 2021 Standard Contractual Clauses (SCCs). A TIA allows for an examination of the specific data transfer as opposed to providing an objective assessment of data transfers to that third country. TIAs are usually in the form of questionnaires that rank the risk of a transfer based on the possibility that local authorities will be able to access EU personal data. Filling in such questionnaires is a time-consuming exercise. However, once a company is certified under the DPF, sections of TIAs will be easier to fill because importers of EU personal data can rely on the EU regulator’s adequacy decision regarding the DPF to prove that such transfers will be protected.
Companies that export and import UK personal data have the option of signing up for the UK Extension to the EU-U.S. DPF.
The current UK Addendum is designed for use with the SCCs. Most companies that process UK individuals’ personal data use the UK Addendum in their contracts for transfers of data from the UK to an inadequate country. However, as of October 12, 2023, if a company decides to replace the SCCs with the DPF they can also certify under the UK Extension to the EU-U.S. DPF for transfers of personal data from the UK (the UK-U.S. Data Bridge). Companies that participate in the DPF are automatically deemed safe for data reception from the UK as a result of the UK-US Data Bridge.
Companies that transfer Swiss personal data should consider how their contracts change if they choose to self-certify under the DPF.
For Swiss transfers, U.S. organizations may submit applications to self-certify on the new DPF website, following all instructions closely. They may rely on the DPF for Swiss transfers after the pending adequacy decision for the region is finalized. This therefore means that the Swiss transfers will be covered by the DPF once the respective supervisory authorities deem the DPF adequate for personal data transfers in those respective regions; making certification under the DPF convenient for entities that have operations in the EU, UK, and Switzerland.
Potential Disadvantages of Certifying Under the DPF
The DPF is likely to be challenged in court and possibly invalidated as a result.
While there could be a short-term period of less work under the DPF, the prior frameworks were generally struck down within two to three years of being found adequate by the European Commission. As of October 2023, a French member of parliament has challenged the validity of the DPF. Subsequently, companies do not want to expend the effort for self-certification only to have the DPF invalidated again. Contracts must also be amended to add a valid transfer mechanism once the DPF is invalidated, therefore leading to a waste of resources and time.
The expectation will be to continue to be accountable for the personal data transferred under the DPF, even if the DPF is invalidated.
As happened with the now defunct Privacy Shield Framework, companies must recertify under the DPF to affirm to the Department of Commerce on an annual basis their commitment to continue to apply the DPF Principles to the transferred data, even if it is invalidated. This is unless they can show that they have safely destroyed or returned the personal data that was transferred under the invalidated framework. If the company would like to keep the transferred data, it would need to either affirm to the U.S. Department of Commerce its commitment to continue to apply the privacy principles to the transferred data or provide adequate protection for the transferred data by another authorized means like with SCCs. Companies will always be held accountable for data transferred under the DPF. Companies should therefore bear this in mind before committing to the certification. Certification is a long-term commitment requiring more resources and time spent on the DPF framework, even post-invalidation of the DPF.
Is Certifying Under DPF Worth the Effort?
This is a decision that each company needs to make in its best interest. For those weighing the options, the decision could come down to analyzing the time currently spent negotiating contracts and filling in transfer impact assessments and questionnaires. How much time and money would your company save if the SCCs, impact assessments, and questionnaires were removed from the contract negotiation process?
Current Requirement: Negotiating SCCs
Example Calculation: (Time per negotiation in hours) x (Number of negotiations per year) x (Salary cost / 2000 hours)
Current Requirement: Sending questionnaires to customers
Example Calculation: (Time sending and analyzing questionnaires in hours) x (Number of customers) x (Salary cost / 2000 hours)
Current Requirement: Sending questionnaires to vendors
Example Calculation: (Time sending and analyzing questionnaires in hours) x (Number of vendors) x (Salary cost / 2000 hours)
Suppose the total cost for the current requirement is more than the projected cost for compliance and recertification. In that case, certifying under the DPF may be worthwhile for your company. Each company will need to make a decision based on their unique circumstances.
Make a Collaborative Decision
Ultimately, whether or not to certify is a business decision that should consider the savings that come with certifying weighed against the risk that the DPF could be invalidated. Business leaders should also talk with Legal and Compliance teams to understand the different internal perspectives that should be considered while making this decision. Your company’s decision may depend on your size, industry, products, and customer opinions. However you decide, make sure you take a collaborative approach and weigh the pros and cons with consideration for the impacted business operations. Your decision could have a long-term impact on internal processes and on your reputation with your customers.
Nyambura Kiarie is Commercial and Privacy Counsel at AuditBoard and is an experienced privacy, cybersecurity, and technology transactions lawyer who is also an IAPP-certified U.S. and E.U. Data Privacy Professional. Her experience entails building and supporting privacy and cybersecurity programs within organizations and companies with an aim of ensuring that the companies maintain robust compliance programs to differentiate themselves in their respective markets and build their brands by engendering greater trust, loyalty, and cooperation amongst their consumers and customers. Connect with Nyambura on LinkedIn.