Share This Article
Theย European Commission published its FAQs on the adequacy decision regarding data transfers, which don’t give all the necessary answers; let’s try to give some clarifications on potential grey areas. Based on the initial discussions with clients, here are the main requests of clarifications and relevant answers on the adequacy decision relating to the data transfers to the United States:
1๏ธโฃ It was advertised as an adequacy decision, but the Data Privacy Framework (DPF) works like the Privacy Shield; entities must comply with specific obligations to be certified;
2๏ธโฃ The U.S. Department of Commerce has issued a statement that companies that were already certified under Privacy Shield will automatically become certified under DPF if they update their policies by October 10, 2023, but they can rely on DPF right away. In fact, there is now a list of companies that are DPF certified that will be the same as those previously certified under Privacy Shield because companies do not have to re-certify. Only if companies do not want to certify under the DPF, they will have to make a request for deletion;
3๏ธโฃย The certification might not cover all the products/services of the US entity since there are commitments to comply with, and – as happened in the past with the Privacy Shield – US entities might not be able to comply with them in relation to all their product/services;
4๏ธโฃ Not all companies are eligible to be certified under the DPF since they have to be entities falling under the investigatory and enforcement powers of the Federal Trade Commissionย or theย U.S. Department of Transportationย (DoT), leaving out of the scope, for instance, banks and insurance companies, but covering their tech suppliers;
5๏ธโฃย As such, the DPF does not work like the adequacy decision applicable to, for instance, the UK and Japan. It will need to be checked whether the entity can be DPF certified, is certified, and the offered products/services are certified;
6๏ธโฃย If the answer to any of the questions under the point above is NO, the applicable regime will be like the one before July 10, 2023. And therefore, a transfer impact assessment (TIA) shall be performed;
7๏ธโฃย If the answer to any of the questions under the point above is YES, then you might decide to rely on the DPF. But you are aware that NOYB will bring the case to the ECJ in a couple of years, and the precedents favor Max Schrems and his friends. Besides, in most cases, Big Techs transfer data not only to the US but also to other non-EEA jurisdictions, and therefore, you shall continue running a TIA for those countries;
8๏ธโฃ ย The DPF is still very good news since, during its duration (which is uncertain), it will enable to avoid the extremely stringent regime on data transfers arising from the decision of the Irish Data Protection Authority against Meta that was leaving quite limited scope for data transfers in case of entities subject to FISA, even though the criteria unfolded in that decision are definitely arguable as covered in this article “Meta โฌ 1.2 bn GDPR fine, what to do with data transfers now?“.
I hope it helps; please send me any comment/question!
๐ฅ All in all, businesses will still need support to perform TIAs and DLA Piperโs Transfer tool is already used by 300+ clients. Read more HERE
