Standard Contractual Clauses or Data Privacy Framework – what to do? (Q&A Part 1)
As reported, on July 10, the European Commission issued an adequacy decision based on the Data Privacy Framework (“DPF”). This is important news as it opens up a new way to legitimize data exports from the EU to the US.
As a reminder, since the ECJ’s “Schrems II” ruling, the most commonly chosen (because relatively easiest) way to legitimize data exports to the U.S. has been to agree to standard contractual clauses in accordance with Article 46 (2) c GDPR (“SCC”). Most companies will therefore currently use SCC as means to legitimize their data exports. Now, the “DPF” offers another possibility to legitimize data exports in accordance with Art. 45 (1) GDPR. However …
… which instrument is preferable – SCC or DPF?
We want to discuss this question and the related issues in a Q&A – here is the first part:
Data exports to the U.S. – do I need to bother?
Most likely: yes.
Your company is a data exporter if it transfers personal data from Europe to the USA in the course of its business. This is regularly the case for all companies that have direct contacts with companies in the USA or have subsidiaries across the Atlantic. However, it also applies to any company which uses services from U.S. companies and transfer data to the U.S. as part of this use. This can be, for example, any kind of software-as-a-service services or commissioned data processing (for example, “Google Analytics” as a service known and used by many).
Which instrument l am I currently using?
If you don’t know the answer to this question, chances are you have a significant problem! Any data export to the USA is only permissible if based on a valid legitimation in accordance with Art. 44 et seq. GDPR. This legitimation must be fulfilled in addition to the legitimation the actual data processing requires in accordance with Art. 6 GDPR. It is the responsibility of the data exporter to ensure both. And if this is not the case, all conceivable sanctions of the GDPR may apply, in particular fines and damages.
This is more than enough reason to check whether your company exports data to the USA and if so, if these are performed on a legitimate basis!
I currently use SCC – do I have to switch to DPF now?
No. GDPR offers a select range of possibilities to legitimize data exports in Art. 44 et. seq. GDPR. These possibilities coexist as independent alternatives. In principle, it is possible to freely choose between the options, provided these are available for the country destination of the data export.
Thus, the use of SCC for data exports to the U.S. remains fully legitimate. For all companies that have effectively agreed to SCC, issuance of the DPF does not impose any current need for action.
So which one is better – SCC or DPF?
That depends on the parties involved in the data export and their interests. Mind, the data exporter and the data importer do not necessarily have the same perspective. And additionally, for the data importer in the U.S., the answer will always depend on an assessment of applicable U.S. law.
Please note: the DPF is only available for data exports to the USA. The SCC, on the other hand, can in principle be applied to exports to any country outside the EU (for which, however, an instrument identical to the DPF may exist).
Who actually decides whether to apply SCC or DPF?
According to Art. 44 GDPR, responsibility for data exports lies solely with the data exporter. He – and not the data importer – must ensure that the requirements of a legitimate data export are met. This includes in particular the fulfillment of the transparency obligations towards the data subjects, because data exports and their legal basis must be notified pursuant to Art. 13 (1) (f) GDPR. As a mirror of this responsibility, the data exporter is liable to both the supervisory authorities and the data subjects if the legal requirements for the data export are not met.
As a consequence, choice of the legitimation of data exports it the data exporter’s free discretion, and the data importer must respect this decision. In reality, however, this relationship is likely to be reversed more often than not. This is because: the balance of power between the data exporter and the data importer often leads to the data importer choosing the legal basis, e.g. for data exports that take place in the context of the use of the data importers digital services.
To be continued!
You can find Part 2 of this Q&A here. You can find Part 3 of this Q&A here.