Navigating data transfers between the EU and the US is a complex and challenging task, requiring businesses to balance the commercial imperative of transatlantic data flows against the European fundamental right to data protection. In recent years, two decisions of the European Court of Justice (ECJ) have unceremoniously forced businesses to rethink their data transfer strategies, too often leaving companies to face an irreconcilable dilemma: how to transfer personal data to the US in compliance with EU data protection law.
The latest installment in the data transfer saga came in July 2023, with the launch of the EU-US Data Privacy Framework (DPF). It could bring a welcome appeasement around this topic. While skepticism is understandable given the rocky history of international data transfers, the DPF offers compelling reasons for eligible businesses to self-certify.
What is the DPF?
The DPF is a self-certification scheme available to companies subject to the US Federal Trade Commission (FTC)’s jurisdiction (thus excluding, for example, banks). Companies who want to benefit from it must adhere to seven “DPF Principles” which are elaborated on in a series of accompanying FAQs and self-certify their compliance with the DPF to the US Department of Commerce via an online portal.
The US Department of Commerce maintains oversight of the DPF, and the FTC enforces it under Section 5 of the FTC Act (unfair and deceptive practices). If self-certified companies do not comply with the DPF Principles or their representations to consumers about compliance with EU data transfer requirements, the FTC can go after them for unfair and deceptive practices.
Given this enforcement risk, the decision to self-certify to the DPF should not be taken lightly. However, businesses that complete the self-certification process and take the steps necessary to ensure ongoing compliance with the DPF Principles will enjoy several benefits that largely outweigh the risk.
Why Should I Self-Certify to the DPF?
- Companies that have certified to the DPF can lawfully receive personal data from EU data exporters, provided that they comply with the DPF Principles. In practice, these principles broadly match the key principles of EU data protection law but are slightly more flexible. While non-governmental organizations (NGOs) might decide to litigate this flexibility, it should be lawful, as the threshold that the DPF must meet under EU law is that the level of protection is “essentially equivalent” but not identical.
- Compared to other data transfer solutions, certification to the DPF is arguably more streamlined and efficient. It does not require a complex web of contracts that are difficult to implement and update as for Standard Contractual Clauses, nor does it require going through lengthy and detailed approval processes, as is the case for Binding Corporate Rules. In addition, for organizations looking to sell services in the EU, the DPF may provide reassurance to potential customers and reduce time to contract.
- The DPF may also cover transfers from the UK and Switzerland under the “UK Extension to the EU-U.S. DPF” and “Swiss-U.S. DPF” when they come into force, which is expected to take place later in 2023.
- Where transfers take place on the basis of the DPF, organizations are not required to carry out a Data Transfer Impact Assessment (DTIA). The requirement to carry out a DTIA was imposed as a result of the ECJ’s ruling in the now-infamous “Schrems II” case, and typically requires companies to invest substantial resources. This aspect of the DPF is likely to be particularly advantageous to companies (both customers and participants).
- For US companies falling under the jurisdiction of the FTC, US law may offer some reassurance. It allows them to engage with familiar regulators and operate under well-known laws and procedural guidelines.
- Certifying to the DPF and simultaneously relying on existing data transfer mechanisms could also be beneficial for some companies. A ‘belt and suspenders’ approach using multiple legal safeguards to cover potential gaps can offer a multi-layer defense to mitigate legal risks.
- Self-certification to the DPF involves undertaking to comply with the DPF Principles. Organizations previously certified to the Privacy Shield will find that little has changed regarding the steps needed to enter the scheme. These organizations will, therefore, find it relatively simple to certify if they have maintained their Privacy Shield compliance programs.
- The proliferation of state privacy laws throughout the US is a recent phenomenon. Steps taken (or currently underway) by organizations to comply with such laws may expedite preparations for DPF certification and make the risk of submitting to the FTC’s jurisdiction more manageable.
Is the DPF Here to Stay?
While the future remains uncertain, and it's a given that the DPF will face legal scrutiny from NGOs, there are compelling reasons to believe that it may withstand the test.
First, the DPF enjoys political consensus and engagement on both sides of the Atlantic, lending it credibility and momentum. Too much political weight has been put into this framework to have it fail a third time.
Second, unlike Schrems I, the ECJ’s Schrems II Judgement offered the European Commission more details to negotiate a valid framework with US authorities. As affirmed by the European Data Protection Board (EDPB), the DPF is a “substantial improvement” when compared to its predecessor. Therefore, it seems unlikely that the ECJ would invalidate the DPF on the same grounds as the Privacy Shield.
Third, to establish the DPF, the US adopted a new Executive Order that significantly impacted US surveillance practices and introduced the concept of proportionality under US surveillance law. The fact that the EDPB confirmed that the guarantees from the Executive Order could extend to all data transfer mechanisms is a positive indicator.
In any case, should the DPF get invalidated, it won't spell the end. We'll likely see another round of negotiations leading to a fourth EU-U.S. data framework. After all, the stakes are too high to let this issue linger. Transatlantic data flows are crucial to both the U.S. and EU economies. As stated by the White House, transatlantic data flows are “critical to enabling the $7.1 trillion EU-U.S. economic relationship”. This leaves both parties with no choice but to find a lasting solution to this enduring challenge. And who knows…the DPF might just be that solution.