What does it mean that a company is Data Privacy Framework certified?
In July 2023, the European Commission adopted a decision to enact the EU-US Data Privacy Framework (DPF). After this decision, US companies can become DPF-certified. This decision is voluntary and a company may well decide not to be certified. This means that each company will decide to become DPF certified depending on its:
- type of business operations
- risk appetite
- global privacy program
It is important to remember that in data processing activity which involves an international data transfer of personal data, a DPF-certified company may well be:
- a data controller
- a joint-controller
- a data processor
Regardless of the role, after the full entry into force of Data Privacy Framework, DPF-certified companies are mandated to provide an adequate level of protection for personal data received from (or sent to) according to the GDPR provisions. Therefore, the key advantage is that the legal basis for the international transfer is equivalent to an adequacy decision.
However, being DPF-certified is not a free-for-all situation for international data transfers concerning the US because:
- the certification might not cover all the products and/or services of the certified company
- a Data Processing Agreement (DPA) is still required according to Article 28 GDPR.
What does it mean that a company is not DPF-certified?
It is important to remember that there is no adequacy decision in place for the US as a country but only for US companies that are DPF-certified. This means that if a company is not DPF-certified the legal basis for the international data transfer cannot be an adequacy decision, but instead:
- Standard Contractual Clauses (SSCs) – Article 46 GDPR
- Binding Corporate Rules, if applicable – Article 47 GDPR
- Derogations for specific situations – Article 49 GDPR
Moreover, a Transfer Impact Assessment (TIA) would be required.
Final considerations and two notes of caution
First consideration: the Data Privacy Framework relies on the premises of Executive Order 14086 of 7th October 2022 (EO), which was specifically targeted to meet EU standards of proportionality, necessity, and redress. An Executive Order is a rule issued by the president of the United States. This means that another president may decide to retract the order thus putting in jeopardy the DPF. Although this is a remote possibility, it is not a zero-chance scenario.
Second consideration: it is not unlikely that the DPF would be declared invalid by the Court of Justice of the European Union (CJEU) as has already happened with its predecessors: the Privacy Shield, and the Safe Harbor. Cases have already been brought in front of the CJEU and soon we will have a decision on the DPF validity (potentially a Shrem III).
Due to this high level of uncertainty, it is advisable to not rely solely on the DPF as a lawful transfer mechanism and to seek professional advice to implement the best strategy for your international data transfer with the US. Does your organization deal with US companies or have any questions about the DPF? Contact us, the Experts in Data Privacy at firstname.lastname@example.org for assistance.