Clifford Chance

On 4 September 2023, the Conference of the German Data Protection authorities (DSK) published a guidance on the EU Commission's "adequacy decision" under the GDPR on the EU-U.S. Data Privacy Framework dated 10 July 2023 (DPF) (see our article European Commission approves EU-US data privacy framework).

In the guidance, the DSK explains the background and the main content of the adequacy decision on the DPF. They focus on the scope of the new mechanism, the use of alternative instruments for transfers to the U.S. and enforcement of data subjects' rights against certified organizations in the U.S. Together with the Q&As on the DPF published by the European Commission and the information note on data transfers to the U.S. published by the European Data Protection Board, the DSK's guidance provides another tool for EU/EEA data exporters, data subjects, and data importers in the U.S. to put the DPF into practice.

The most interesting points in the guidance for controllers and processors intending to use the DPF for transatlantic data transfers are set out below:

SCOPE OF THE DPF

Although the DPF indicates that other authorities may be responsible for certification in the future, to date only U.S. organizations under the supervision of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT) are able to self-certify under the DPF. The DSK points out that it is the obligation of the data exporter to verify whether the respective U.S. organization is certified and is currently listed on the DPF list provided by the US Department of Commerce (DOC). They also emphasize the fact that specific sectors like banking, insurance or providers of public telecommunications networks do not fall within the FTC's or DOT's supervision and, therefore, a transfer of personal data in these areas may not be possible on the basis of the DPF.

Generally, almost all transfers of personal data from the EU to certified U.S. organizations can be based on the DPF, however, there are a couple of exceptions that are sometimes missed:

• the DPF does not apply to personal data transfers from entities outside the EU/EAA, for which the GDPR applies pursuant to Art. 3(2) GDPR (offering of goods/services to EU customers or monitoring of their behaviour).
• transfers of personal data within the context of journalism or media archives cannot be based on the DPF due to an exception for journalism.

In addition, the DPF only applies for "human resources data" transferred in the context of employment relationships if the respective U.S. organization is verified for such HR-data (as the certification does not necessarily include this). Employee data is only covered if the data importer's entry in the EU-U.S. DPF list in the "Covered Data" section contains the entry "HR Data".

See our PDF for the checks Companies intending to rely on the EU-U.S. DPF will have to conduct.

INTERESTING DIFFERENCES TO THE GDPR

The regulations to which data importers are subject under the DPF are similar in content to the GDPR and essentially correspond to the requirements of the Privacy Shield Principles and the Safe Harbor Principles. However, there are two interesting differences to the protection under the GDPR:

The most important one is that the DPF is not based on a general prohibition with limited exceptions (Verbot mit Erlaubnisvorbehalt) but a so-called "notice and choice" mechanism. As a consequence, onward transfers and changes to processing purposes are only permissible if  the data importer notifies

• the data subjects e.g. on the data categories, the processing purposes and the recipients or categories of recipients ("notice") 
• provides an opt-out mechanism ("choice"). This concept is much more practical and much easier to handle than the very restrictive approach taken by the GDPR. 

Another interesting difference applies to the data subject access right. The data subject access right granted under the DPF is subject to a benefit-cost analysis and does not apply if the efforts and costs for granting such access are not proportionate considering the risks for the privacy of the data subjects in the respective case. Again, this approach is much more practical and should prevent abuses of the data subject access right, which are getting more and more common in the EU.

ALTERNATIVE TRANSFER INSTRUMENTS

The DSK emphasizes that the adequacy decision is binding EU law as long as it is in force. At the same time, they state that transfers remain possible based on other transfer instruments such as Standard Contractual Clauses or Binding Corporate Rules. In this context, the DSK notes that transfers based on such other instruments require a Transfer Impact Assessment and potentially the implementation of supplementary measures.

However, they emphasize that the additional measures implemented by the US government apply irrespective of the transfer mechanism chosen. Consequently, data exporters may consider the DPF in their Transfer Impact Assessment and when assessing supplementary measures to ensure appropriate safeguards. Unfortunately, the DSK does not provide further details to what extent the DPF can be considered here and whether the DPF is able to resolve the legal uncertainties regarding the Transfer Impact Assessment and the necessary supplementary measures. More clarity from the DSK would have been helpful here.