Well, it depends. Let me begin by providing an overview of the Data Privacy Framework as adopted on July 11th 2023 and follow by providing my opinion on whether and for which companies a certification under the new framework would add value.
The EU-US Data Privacy Framework in the Big Picture of the Adequacy Decisions
In general terms, according to Chapter 5 GDPR a transfer of personal data covered by the GDPR (henceforth, “GDPR data”) is lawful whenever an adequacy decision has been adopted for the recipient country in accordance with Art. 45 GDPR; if appropriate safeguards are implemented according to Art. 46 GDPR; when the Commission has approved Binding Corporate Rules in the terms of Art. 47 GDPR or when one of the derogations from Art. 49 GDPR should apply. The legal dispositions of Chapter V GDPR have the goal of ensuring an essentially equivalent level of personal data protection in the receiving country as the one applicable in the EU in accordance with the GDPR.
Adopted on July 11th 2023, the EU-US Data Privacy Framework (henceforth “DPF”) is a personal data transfer mechanism under Art. 45 GDPR which legally allows transfers of GDPR data to US companies having been self-certified under the DPF. What’s particular about the DPF is that it is not applicable to a country as such, like the adequacy decisions recognized by the European Commission for Argentina, Israel, the UK, Japan or Switzerland, for example, but rather to self-certified companies. What this means is that the automatism – for lack of a better word – allowed by this adequacy decision for transfers of GDPR data to the US, applies only to self-certified companies and not to any entity receiving GDPR data in the US. For this reason, it may be interesting for your company to consider self-certifying under the DPF as will be discussed below.
It’s important to mention as well that the DPF is the successor of the Privacy Shield Framework which was invalidated in 2020 by the Schrems II Judgement of the European Court of Justice. The Privacy Shield Framework had been adopted in 2016 following the invalidation of the Safe Harbor Framework as a result of the Schrems I case. Up to this point and having lived through three consecutive EU-US data privacy frameworks, we can say with confidence, firstly that a mechanism under which personal data can be transferred to the other side of the Atlantic is essential and, secondly, that it’s not easy to adopt a framework that will ensure the protection of personal data subject to the GDPR essentially in the same way as it’s protected within Europe. That being said, each attempt stands on somehow firmer ground and promises to deliver more and more enhanced protection to personal data covered by Art. 3 GDPR.
Applicability of the DPF
Each attempt at adopting an EU-US data privacy framework builds up on the last and in the case of the current DPF, adopted on July 11th 2023, the commitments made by the US government arrived to complement an already compliant scheme – from the point of view of the GDPR – applicable to certified companies. What this means in practice is that the same companies that were certified as compliant under the Privacy Shield, have been automatically certified under the DPF. This is not surprising: the scheme applicable to companies was not the focus of the Schrems II case, rather Mr. Schrems’ case contested the suitability of the Privacy Shield mechanism to protect GDPR data from access by US government agencies. In other words, the Privacy Shield was invalidated because it did not provide GDPR data with protection equivalent to that which would be applicable in the EU against access by US governmental authorities. When we speak about “equivalent protection” we don’t mean that State authorities are prohibited from accessing GDPR personal data in the EU, rather, that such restrictions to the rights and freedoms of data subjects shall consist on necessary and proportionate measures in a democratic society, as understood under European law. Indeed, Art. 23 GDPR does contain restrictions to the scope of the obligations and rights provided for in Arts. 12 to 22 as well as Arts. 34 and 5 GDPR for the purpose of safeguarding national security, defense, public security, etc., however, under the GDPR, in particular, under Art. 23, data subjects’ rights and freedoms shall only and exclusively be restricted by way of a legislative measure and whenever such restriction “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society (…)”. In other words, providing GDPR data with equivalent protection in the US when accessible to US governmental authorities, would mean that the dispositions of Art. 23.1 and 2 would apply to such access. Indeed, this is what the US government aimed at by issuing an Executive order in October 2022 strengthening the safeguards for data subject to signals intelligence activities, which was duly considered by the European Commission when adopting its Adequacy Decision on the EU-US Data Privacy Framework in 2023.
Thus, on July 11th 2023, an important data transfer mechanism to be used between the EU and the US was restored while introducing limitations on US surveillance agencies’ access to GDPR personal data and establishing a redress mechanism for data subjects. In general terms, the EU-US Data Privacy Framework, DPF, applies to data transfers to US companies having been certified under the DPF which as mentioned above are the companies that were previously certified under the Privacy Shield plus those being certified under the new DPF. It’s important to mention for the purposes of this article that – as explained above – since the Schrems II judgement invalidated the Privacy Shield based not on the compliance of the scheme to be implemented by participating companies but rather on the basis of the lack of essentially equivalent protection for GDPR data when accessed by US governmental authorities, the adequacy decision adopted on July 11th 2023 applies in principle to any and all transfer mechanisms, including the Standard Contractual Clauses, as explained by the European Data Protection Board (EDPB) in its information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision in July 2023, where the EDPB confirmed that, “The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transferred to the US, regardless of the transfer tool used. Therefore, when assessing the effectiveness of the Article 46 GDPR transfer tool chosen, data exporters should take into account the assessment conducted by the Commission in the Adequacy Decision.” (p.2)
In sum, since July 11th 2023, companies wishing to transfer GDPR personal data to the US can carry out such transfers based either on the adequacy decision, AKA, the DPF certification, the Commission’s Standard Contractual Clauses, Binding Corporate Rules or one of the derogations from Art. 49 GDPR. For the purposes of this article, we’ll suppose that the options available to our clients are two: a DPF certification or concluding Standard Contractual Clauses with their business partners.
So, does your Company Need a DPF Self-Certification?
Against this backdrop and circling back to the main question, “Does your company need a DPF self-certification?” I’ll attempt a clear and straightforward reply that will allow you to make an informed decision. From our experience with the Safe Harbor, the Privacy Shield and the recent DPF, I will start by saying that whether you decide to opt for a DPF certification or to continue concluding Standard Contractual Clauses accompanied by a short Transfer Impact Assessment in line with the opinion of the EDPB quoted above, you’ll need a fallback mechanism in case the DPF is once again contested and invalidated. What this means in practice is that you should not only consider the costs involved in implementing the chosen mechanism but also the costs of falling back on your fallback mechanism and how complicated and costly the potential transition will be. Other factors to be considered when deciding whether to opt for a self-certification under the DPF are your line of business as applicable to the context within which you process GDPR personal data; the categories of personal data that you process and in particular whether you process special categories of personal data in the terms of Art. 9 and 10 GDPR and/or personal data that data subjects could consider as sensitive, and finally, the periodicity of your transfers and the number of actors involved: concluding ten Standard Contractual Clauses per year is not the same as concluding one hundred of them, the cost in terms of legal fees and administrative effort shall be considered. My straightforward answer for you would therefore be the following or a variation of the following: if you conclude several standard contractual clauses with multiple business partners each year and if your line of business involves the processing of special categories of personal data or processing GDPR personal data in the US at a large scale, you may want to consider self-certifying under the DPF.
If you want to know more about how this factors shall be weighed and get more insights to inform your decision, please read my follow up article „What does the Data Privacy Framework Self-Certification mean for your company?“ where you will learn more about what to consider when deciding on self-certifying under the DPF.