Standard Contractual Clauses or Data Privacy Framework – what to do? (Q&A Part 2)
Since July 10, 2023, the adequacy decision based on the “EU/US Data Privacy Framework” (“DPF”) provides a new possibility to legitimize data exports to the USA. Until now, the preferred (because: relatively easiest) way to legitimize such data exports was to agree on the Standard Contractual Clauses (“SCC”) in accordance with Article 46 (2) (c) GDPR. Accordingly, Most companies will therefore currently use SCC as means to legitimize their data exports. Now, the “DPF” offers another possibility to legitimize data exports in accordance with Art. 45 (1) GDPR. Raising the question: SCC or DPF?
We have discussed a few related issues already in the first part of our Q&A – here is the second part:
What is the key difference between SCC and DPF?
The main difference lies in the legal nature: the SCC are a contract. The DPF is an international treaty based on which the EU Commission has adopted its Adequacy Decision.
As a contract, the SCC must be explicitly agreed between the parties. Thus, SCCs require the preparation and exchange of documents, including, in particular, a Transfer Impact Assessment. Most importantly, a contract is effective only between the parties to the contract. This is also true of SCCs, although they explicitly include additional third-party beneficiaries in the contract. Third-party beneficiaries of the SCC are the data subjects, i.e. the people whose data are exported. In the SCC, they directly acquire own rights vis-à-vis both the data exporter and the data importer.
The DPF – or more precisely, the Adequacy Decision based on it – is a legal act of the European Commission. This legal act confirms by blanket the legality of the data export, provided the data importer in the U.S. is a certified participant to the DPF. Neither the DPF itself nor the Adequacy Decision impose any direct obligations on the data exporter, though the DPF does impose obligations on the data importer (see below). The data exporter can therefore rely on the DPF, i.e. on Article 45 (1) of the GDPR, as the legitimization of its data export without taking any further measures or having to prepare any further documentation.
What is applicable: law, supervision and jurisdiction?
A European entity will always have to comply with GDPR for its actions – also in the context of data exports. Accordingly, it will have to meet all obligations and will have to endure all sanctions (if any) resulting from GDPR. Likewise, a European entity will always be subject to the supervision of the competent European data protection authority and the jurisdiction of the competent European courts.
In this respect, it makes no difference to a European entitiy whether it chooses SCC or DPF as legitimation for its data exports.
However, for a data importer in the USA, the difference between SCC and DPF is significant in this regard: application and enforcement of SCC will always be made in accordance with to European law. In the SCC the U.S. data importer must submit to the provisions of the GDPR, the oversight of the relevant European data protection supervisory authority, and the jurisdiction of the relevant European courts.
This is not the case when employing the DPF: here, the data importer acts exclusively under applicable U.S. data protection law and is subject exclusively to the supervision of U.S. authorities (in particular the FTC). As per the DPF, the U.S. data importer is obliged to cooperate with European data protection authorities, however these have no further authority, especially not to issue sanctions. Further, the actions of the data importer are in principle subject to the jurisdiction of U.S. courts, although the escalation and arbitration mechanisms of the DPF must be observed.
Which formalities have to be observed between data exporter and data importer?
The application of SCC requires the preparation and agreement on several documents between the data exporter and the data importer: first, a “Data Transfer Agreement” (“DTA”) is needed, unless it is part of or the result of another contract existing between the parties (and/or an agreement on commissioned data processing). Second, the SCC must be agreed upon with the exact same content as mandated by the EU Commission. Further, the SCC require a Transfer Impact Assessment as mandatory, which must be made before the data export starts and must be sufficiently documented. Once these documents are created, however, they have an unlimited shelf life (at least in principle). However, SCC are highly inflexible because they must be adapted whenever the circumstances of the data export change. For example, if other types of data are to be exported, documentation must be catered for all over again.
If a data export is legitimized via the DPF, there will also be a “DTA” in place between the parties in most cases. However, all further requirements to be observed with regards to omplementing the SCC don’t have to be observed. Simply referencing the DPF is already sufficient, provided that the data importer is validly certified under the DPF in the U.S. and fully maintains its certification. It should be noted that not all companies are certified and also that not all types of companies can certify themselves. Whether a company is certified can be checked on the website www.dataprivacyframework.gov.
To be continued!
You can find Part 1 of this Q&A here. You can find Part 3 of this Q&A here.