Ireland's Data Protection Commission published a long list of case studies from its first five years of GDPR enforcement. Here is what we learned.
The formal adoption of the EU-U.S. Data Privacy Framework (DPF) by the European Commission in July 2023 was an important development for most businesses that have to comply with the GDPR, and especially businesses that are based in the United States. After years of legal uncertainty, the DPF provides an easy way to transfer personal data from the European Economic Area, United Kingdom, and Switzerland (we’ll just say “Europe”) to the United States.
Tl;dr: The GDPR generally prohibits the transfer of Europeans’ personal data to the United States. After a lot of trial and error, the DPF provides a simple and legally safe means to process data in the U.S.
The GDPR prohibits the transfer of personal data from Europe to any “third country,” meaning any country outside of the GDPR’s scope. There are a few important exceptions to this rule, however. The most important exception is when the third country has been the subject of an “adequacy decision” by the European Commission. An adequacy decision indicates that the third country provides a level of privacy protection that is roughly equivalent to Europe’s laws.
Until recently, the United States has not been the subject of an adequacy decision. The reason for this is twofold: the lack of a federal data privacy standard and the revelations of mass data surveillance by American intelligence agencies (made public by Edward Snowden). Given how much personal data flows through American tech companies—just think of how many websites use Google Analytics—this rule has created huge headaches for a lot of businesses.
The EU and United States have tried in the past to come up with ways to keep the data flowing. Most notable was the Privacy Shield program, in which businesses could self-certify that they follow certain data-privacy principles. The Privacy Shield program was stuck down by European courts in 2020, though, for providing an insufficient level of protection.
This left most businesses with no choice but to rely on Standard Contractual Clauses (SCCs), customized contracts between businesses that import and export data. However, SCCs had some glaring problems. They required expensive transfer impact assessments that only large companies actually bothered to complete. Worse, they didn’t really fix anything, because the main problem was surveillance by the U.S. Government. For this reason, SCCs were invalidated as a transfer mechanism in May 2023. (To make this even more confusing, once the DPF was in place, SCCs were re-validated as a transfer mechanism, though they are still not the best option for most businesses)
This brings us—finally—to the EU-U.S. Data Privacy Framework. The DPF serves as an adequacy decision for the United States, as long as the data recipient has an active DPF certification. (It also obligates the U.S. Government to provide recourse mechanisms for Europeans whose data may have been intercepted.) This provides a streamlined and easily verifiable means to transfer European data to American companies.
If you’ve already been dealing with the issue of international data transfers for the last few years, this is a common concern. We’ve definitely seen it happen before: A new transfer solution arises—such as the Privacy Shield program—only to be shot down a couple of years later and send businesses scrambling.
These concerns are valid. The European privacy group None of Your Business (the driving force behind most of these court cases) has already vowed to challenge the legality of the DPF, claiming it doesn’t go far enough to protect Europeans’ data from U.S. government intrusion.
For their parts, the European Commission and the White House have stated that they are confident the new framework will hold up to scrutiny. Only time will tell, and if history is any guide, it will likely take a few years to get an answer.
Short answer: Yes, businesses can still use standard contractual clauses.
European data protection authorities recently decided that SCCs were insufficient for enabling transfers of data to the United States, because they can do nothing to change the behavior of the U.S. Government. However, the Data Privacy Framework has breathed new life into SCCs, because it requires the government to rein in some of its surveillance activities and provide a recourse mechanism for those whose data has been collected. The DPF therefore allows for the renewed use of alternate transfer mechanisms such as SCCs and BCRs, because it addresses the concerns of European data protection authorities regarding government access to personal data (in theory).
As a result, many businesses have taken a wait-and-see approach to the DPF, on the assumption that they continue to rely on SCCs. In some ways this is a sensible plan, but it comes with a few major caveats.
First, if the Data Privacy Framework is struck down, SCCs will likely also be invalidated. Any legal challenge to the DPF will almost certainly focus on whether the concessions made by the U.S. government were sufficient to protect Europeans’ data privacy. The validity of SCCs is dependent on those concessions, so if European courts decide they are not enough, the SCCs will effectively be struck down as well.
Second, SCCs are costly to implement. For processors that mostly act as data importers (SaaS companies, for example), SCCs are alluringly simple. By adding a lot of boilerplate language to their data processing agreement, they can tell their customers that they offer GDPR-compliant SCCs in order to enable international data transfers. While that may be true, it ignores the fact that this places a significant compliance burden on their customers.
SCCs still require data exporters to carry out a transfer impact assessment (TIA) for each processing activity, looking at the risks involved in the transfer. TIAs are time-consuming and costly to perform. Worse still, many businesses are simply not doing them because they are not aware of the requirement, thinking that signing a DPA is enough.
Choosing whether to stick with SCCs or participate in the DPF is ultimately a business decision, but companies should keep in mind that they are not a “backup plan” and they carry their own significant drawbacks.
These examples should help clarify the GDPR rules on international data transfers. (Find more examples from European data protection authorities here.)
Example 1
An U.S.-based eCommerce business has no physical presence in the EU, but does offer its products to Europeans, making it subject to the GDPR. The business collects Europeans’ personal information through its website, and uses various U.S. vendors such as Google Analytics to process that personal information.
There are a few important things to note here. First, the initial collection of Europeans’ personal information by the U.S.-based business is not itself an international data transfer for GDPR purposes. That is because the data subject is the one who initiated the transfer by interacting with an American website. Second, any onward transfers of personal data within the United States, such as the use of Google Analytics in this example, are considered international data transfers.
This means that the business in the above example needs to ensure that all of its U.S.-based data recipients have an active DPF certification. Luckily, it can look up active DPF participants on the official DPF website.
Example 2
An American retail business has a physical presence in the EU, which operates as a separate European subsidiary. The EU subsidiary regularly sends Europeans’ personal data about its customers and employees to its U.S. headquarters.
In this example, the initial collection of personal data by the subsidiary is not an international data transfer, because it is located within the EU. However, the disclosure of personal data by the subsidiary to the U.S. headquarters is an international data transfer, because they are two separate legal entities. In order for the transfer to be valid, the U.S. headquarters must be an active DPF participant, or else the two entities must depend on an alternate transfer mechanism such as SCCs or Binding Corporate Rules (BCRs).
Unfortunately, it is difficult to give a clear answer on when a U.S. B2C business needs to participate in the DPF, due to uncertainty in the law and guidance from European authorities. The answer will depend on the nature of your business and how it receives personal data from Europe, so you should consider discussing the matter with your attorney.
If your business resembles Example 2 in the above section (receiving data from an EU subsidiary), it will likely need to find a way to legally transfer data within the company. The DPF is one option that is relatively easy and cost-effective, but SCCs and BCRs are viable options as well.
If your business looks more like Example 1, the answer is a little murkier. The initial collection of personal data as described in Example 1 is not an international transfer of data, but subsequently sending that data to a third party within the United States is an international data transfer. Current guidance from the European Data Protection Board makes that clear.
Those same guidelines also state that if an American business sends non-European data to a processor in the EU, that processor is performing an international data transfer when it returns data back to the United States. The processor therefore has a responsibility to only perform the transfer under appropriate safeguards such as the DPF, and therefore may require the American business to participate in the DPF. Following this same logic, it’s possible that when an American business sends EU data to an American processor, the return of that data from the processor back to the business is a separate international data transfer. If that is the case, the original business may need to be DPF-certified in order to stay GDPR compliant.
If trying to follow all this is breaking your brain…you’re not alone. It’s definitely a complicated area of GDPR compliance, and it is always changing. The main thing to keep in mind is that, even if your business is more like Example 1, you can’t rule out the possibility that you may need to be DPF-certified in order to keep working with some processors.
Even though international data transfers may be complicated, the good news is the self-certification with the Data Privacy Framework is relatively straightforward. Here are the steps to complete, according to the DPF’s official website:
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.