Now that the European Commission has adopted its adequacy decision in respect of the Trans-Atlantic EU-US Data Privacy Framework (TADPF or EU-US DPF), US entities which have previously self-certified to the now defunct Privacy Shield or which wish to certify for the first time can position themselves to take advantage of the Framework to ease the burdens on data exporters and themselves.

Following the so-called Schrems II judgment of the European Court of Justice in July 2020 (C‑311/18 Data Protection Commissioner v Facebook Ireland Ltd, and Maximillian Schrems), which struck down the TADPF’s predecessor, the Privacy Shield Framework, as a lawful basis for transferring personal data from the EEA to the US, it has been necessary for personal data exporters and importers to/from the US (outside of a group of companies which might choose to rely on binding corporate rules) to rely on the appropriate safeguard under Article 46(2)(c) GDPR and to conduct a transfer impact assessment (TIA) - aka a transfer risk assessment (TRA) - prior to entering into the modernised standard contractual clauses (SCCs) coupled with supplementary measures, which in practice impose significant additional obligations on US data importers, or otherwise to seek to rely on a derogation.

As the European courts and supervisory authorities have repeatedly found supplementary measures to be wanting, moving to the self-certification model offered by the TADPF is likely to be in the interests of US data importers, particularly once the UK extension applies to avoid having to duplicate service agreements and annexes to incorporate the UK version of standard data protection clauses, the International Data Transfer Agreement (IDTA) or International Data Transfer Addendum.

How do US companies and other non-public sector entities (which must be subject to the jurisdiction of the US Federal Trade Commission (FTC) or another statutory body recognized under the Framework) go about self-certifying adherence to the EU-US Data Privacy Framework?

US entities self-certified to Privacy Shield

For those US entities already self-certified to Privacy Shield, in accordance with the Privacy Shield Framework Principles, they are entitled to rely on the new Framework immediately for data imports from the EEA but are required to comply with the EU-US Data Privacy Framework (EU-US DPF) Principles and to update their privacy notices to make reference to the new framework by 10 October 2023.

The DPF Principles are consistent with the Privacy Shield Framework Principles and therefore, other than updating their privacy notice and ensuring that their chosen independent recourse mechanism provider will continue to offer services under the DPF, there is no requirement to take different or additional measures.

Annual re-certification will continue to be required, in accordance with the existing certification expiry.

Organisations self-certified to Privacy Shield which do not want to certify under the new Data Privacy Framework need to withdraw in accordance with the  International Trade Administration procedure, completing and submitting a withdrawal questionnaire confirming in relation to personal data received under the Privacy Shield whether it will return, delete, retain in accordance with Privacy Shield principles or retain  subject to adequate protection in accordance with other authorised means. 

US entities self-certifying for the first time

For those US entities not already self-certified to Privacy Shield, from 17 July 2023 eligible entities will be able to self-certify under the EU-US DPF via the Data Privacy Framework (DPF) website.

Self-certification requires the organisation to publicly declare its commitment to the DPF Principles, publish its privacy policy which aligns with the DPF Principles, appoint an independent recourse mechanism and to comply with the Principles. For details, download Handley Gill’s Helping Hand Trans-Atlantic EU-US Data Privacy Framework Self-Certification Checklist.

Some organisations, such as banks and insurers, are not eligible for the DPF. Other organisations, such as those processing personal data for the purposes of journalism or engaged in certain audit or due diligence activities, are not required to comply with the DPF Principles, or parts thereof. ISPs are protected from secondary liability in respect of personal data they merely transmit, route, switch or cache.

While the requirements of the EU-US DPF are less stringent than the requirements under the European Commission’s standard contractual clauses (SCCs) and supplementary measures, and the DPF is therefore likely to be a more attractive lawful basis for transfers of personal data to the US, given the risk of imminent legal challenge to the DPF data exporters may be reluctant to adopt the transfer mechanism for fear that contracts will soon need to be revisited and therefore data importers may wish to consider offering both transfer mechanisms. 

Should your organisation require support in preparing to self-certify, negotiating existing data processing agreements, reviewing and revising standard terms for data processing, verifying compliance with the Privacy Shield / DPF Principles or establishing an independent recourse mechanism, please don’t hesitate to contact us.