If you’re a U.S.-based company doing business in the EU, you’ve likely spent countless hours and financial resources negotiating Standard Contractual Clauses and answering transfer impact assessment (TIA) questionnaires from customers. But what if there was an easier solution? The new EU-U.S. Data Privacy Framework (DPF) is coming soon, promising seamless GDPR-compliant data flows from the European Economic Area (EEA) to DPF-certified companies in the U.S.
If you want to get a head start, certify under the Privacy Shield Framework before the DPF becomes effective. According to the U.S. Department of Commerce, this will allow your Privacy Shield-certified organization to rely on the DPF for transfers as soon as the DPF becomes fully effective. The European Commission already published a draft adequacy decision deeming that the DPF provides sufficient protection for personal data transferred from the EEA (including the EU). And on February 28, 2023, the European Data Protection Board (EDPB) issued its Opinion 5/2023 recognizing substantial improvements in the DPF when compared to its predecessor, the Privacy Shield.
If everything goes according to plan, and the DPF is approved by a committee of Member States representatives, the final adequacy decision will be adopted by mid-2023. DPF-certified companies and companies doing business with DPF-certified companies will be able to enjoy smoother transatlantic data flows from the day the final adequacy decision becomes effective.
To be sure, according to the U.S. Department of Commerce, companies that are certified under the Privacy Shield Framework on the date that the DPF comes into force, will be able to rely on the DPF for their transfers on that date. This means that companies can get a head start by certifying under the Privacy Shield Framework now and reap the benefits t of the DPF from day one!
The Key Takeaways from the DPF: What You Need to Know
The DPF is a framework that aims to provide a safe, reliable, efficient and cost-effective way for businesses to transfer personal data between the EEA and the United States and has been hailed as the replacement for the invalidated EU-U.S. Privacy Shield.
Here are the key takeaways you need to know about the DPF (more detail below):
- The DPF will not create any new obligations for participants compared to the Privacy Shield, making the certification process similar for both frameworks.
- DPF participation will be the simplest, most reliable, and cost-effective EU-U.S. personal data transfer tool available.
- The DPF will eliminate the need for transfer impact assessments, 2021 SCCs, and supplementary measures when sharing data with U.S. businesses certified under and compliant with the new DPF.
- VeraSafe expects the DPF to withstand legal challenges, thanks to U.S. efforts to address concerns surrounding data subjects’ redress.
1. No Substantial New Obligations
VeraSafe’s privacy team has examined the text of the new DPF Principles and have concluded that the DPF will not create new substantive obligations as compared to the Privacy Shield. However, one major and very positive difference is that the DPF will apply to key-coded data (which is great news for sponsors of clinical trials in the EU). The lack of new obligations is not surprising: Recall that the Privacy Shield Framework was only invalidated because the CJEU found deficiencies in the U.S. legal framework relating to lack of redress for EU individuals, not in the Privacy Shield Principles as such.
2. The Privacy Shield Provides a Helpful Model for Operationalizing the Requirements of the SCCs, the GDPR and Other Global Privacy Laws (Including in the U.S.)
The Privacy Shield provides a standardized set of requirements for companies to follow when handling personal data, covering areas like notice, choice, accountability for onward transfers, and security. By meeting these requirements, companies can demonstrate that they are committed to protecting the privacy and rights of individuals, which can enhance their reputation and build trust with customers, partners, and regulators.
In addition to being a valuable compliance tool and certification, building a data protection program that satisfies the principles of the Privacy Shield/DPF can also help organizations meet many privacy requirements in the U.S. and the rest of the world. While customization is needed to address differences in data privacy regulations across jurisdictions, such as data breach reporting requirements, children’s privacy rules, and sectoral rules, the Privacy Shield principles meet or exceed the standards of many data privacy regulations.
3. Organizations Will Be Able To Use the Framework for Transfers the SCCs Cannot Be Used for
There’s a type of personal data transfer for which the EU 2021 SCCs cannot be used. The European Commission explicitly stated that these SCCs cannot be used for data processing activities when the data importer is already subject to the GDPR for that processing activity1. However, it will be possible to use the DPF for these transfers. U.S. organizations receiving personal data for processing activities already governed by the GDPR will be able to rely on the DPF for their EU-U.S. transfers.
Participating in the DPF has many practical benefits for organizations, including that they will no longer be required to perform transfer impact assessments, use the EU 2021 SCCs, or implement supplementary measures for new transfers of personal data. By relying on the adequacy of the DPF, organizations will be able to bypass these additional compliance steps.
When organizations rely on an adequacy decision to conduct data exports from the EEA their only obligation under Chapter V of the GDPR is monitoring that the adequacy decision remains valid. The EDPB guidance2 provides that they do not need to implement supplementary measures, conduct transfer impact assessments or enter into other types of data transfer mechanisms like the EU 2021 SCCs. This means that DPF-certified organizations will save time and resources by avoiding these additional compliance requirements.
4. There Are Reasons to Believe that the DPF Will Withstand Legal Challenge (At Least for a Few Years)
VeraSafe explained the reasons to believe that the DPF will withstand legal challenge by Schrems’ organization in a prior blog post. Regardless, should there be a legal challenge against the DPF, it will likely take 2-3 years before the Court of Justice of the EU can examine it. That is multiple years without having to include SCCs in every contract, conduct transfer impact assessments for every new transfer of personal data, and negotiate and implement supplementary measures.
Waiting Is Not Advisable
As soon as the European Commission recognizes the DPF as a valid data transfer mechanism for the EU, companies that provide Privacy Shield / DPF verification services will be overwhelmed with requests to assist businesses to certify under the DPF. This increased demand will inevitably cause delays in services. Moreover, initial certifications at the advent of the DPF will likely take an exceptionally long time to be processed and approved, given the novelty of the process and the technology system that is being developed to manage the certifications.
So What Does Privacy Shield Self-Certification Entail? How Can VeraSafe Help with It?
VeraSafe has been advising organizations for over 13 years on data protection compliance, and with our Privacy Shield Certification Program, we have assisted hundreds of organizations in certifying under the Privacy Shield and bringing their data transfers into compliance with the GDPR and Swiss law. We can also help you prepare for the DPF by assisting your organization to self-certify under Privacy Shield and help ensure you’re compliant with any further compliance obligations after the effective date of the DPF.
If you need guidance on these developments and their implications for your organization, please contact us for a free consultation.
We can assist with the following:
- Thorough Privacy Shield Compliance Assessment: Our consultants and in-house attorneys can identify compliance gaps and propose practical solutions reducing preparation time.
- Privacy Notice Review or Creation: We can review your existing privacy notice and make necessary changes to meet certification requirements or create a new, fully compliant notice (also known as a privacy policy).
- Dispute Resolution: Your organization can enroll in our Privacy Shield Dispute Resolution program that satisfies the Privacy Shield’s Recourse, Enforcement and Liability Principle.
- In-Depth Manual Penetration Testing: We can conduct IT vulnerability penetration testing of your in-scope IT systems and assist in remediating identified vulnerabilities.
- Privacy and Security Training: The Privacy Shield requires you to implement a privacy and security training program for your staff. Our program includes a fully compliant, web-based training solution to satisfy this requirement.
- Certification Application Guidance: We offer guidance on the certification process through the Department of Commerce’s Privacy Shield website via screen sharing.
- Third Party Verification with Findings Report: We provide a compliance verification report that documents exactly how you’re satisfying each criteria of the Framework.
- VeraSafe Helps You Recertify When the Time Comes: We provide assistance for recertifying your compliance with the EU-U.S. Privacy Shield and/or Swiss-U.S. Privacy Shield.
