The Story So Far
On July 10, 2023, the European Commission (EC) adopted its long-awaited adequacy decision approving the EU-U.S. Data Privacy Framework (DPF). By doing so, the EC confirmed that personal data transferred to the United States under the DPF is adequately protected in line with the rules on international data transfers imposed by the EU General Data Protection Regulation (GDPR). As we discussed in our July 12, 2023 blog post, companies established in the EU (or whose personal data processing is otherwise subject to the GDPR) can now transfer personal data to the United States under the DPF.
Companies that need to transfer personal data from the EU to the United States are now faced with an important decision: Does it make sense to use the DPF, or is it better to leverage one of the other transfer tools available under the GDPR, such as the EU’s Standard Contractual Clauses (SCCs)?
The DPF vs. the SCCs: Key Distinction
Before diving into the similarities and differences in more detail, it is important to bear in mind one significant distinction: The DPF can only be used for transfers of personal data to the United States, whereas the SCCs can in principle be used to transfer personal data from the EU to any third (non-EU) country (subject to the requirement to carry out a transfer impact assessment (TIA)). Global companies that decide to use the DPF for transfers of personal data to the United States may therefore also need to use the SCCs for transfers to other jurisdictions.
Our analysis of the SCCs assumes that the transfers of personal data are to recipients in the United States only.
Transfer Impact Assessments: Just One Piece of the Compliance Puzzle
One requirement for using the SCCs has attracted renewed attention since the EC approved the DPF: the need to carry out and document a TIA before using the SCCs.
A TIA involves assessing whether personal data will be appropriately protected when it has been transferred to a third country, taking into account (1) the specific circumstances of the transfer of personal data; (2) the laws and practices in the third country (including those requiring the disclosure of data to public authorities or authorizing access by such authorities); and (3) additional safeguards put in place to protect the data.
The European Data Protection Board has confirmed that companies using the DPF (instead of the SCCs) do not need to perform a TIA. This is, of course, one factor weighing in favor of the DPF.
However, it is important to consider this in context. The need to carry out a TIA is just one of the many requirements for using the SCCs. Regardless of whether a company uses the DPF or the SCCs, each data transfer tool has a broader set of compliance requirements to consider and implement as needed. For the DPF, participant organizations must self-certify that they comply with the data protection principles of the DPF. For SCCs, the compliance requirements are underpinned by contractual obligations between the parties (i.e., the data exporter and the data importer) aiming to safeguard personal data after it has been transferred.
The applicable requirements under the SCCs depend on which module of the SCCs is being used for the transfer in question. For example, the obligations under Module 1 (used for controller-to-controller transfers) are different from those under Module 2 (used for controller-to-processor transfers).
Using Module 1 as an example, it is clear that the compliance requirements imposed by the SCCs are similar to those that apply under the DPF:
Transparency requirements. Under the DPF’s 'Notice’ principle, participating organizations must inform individuals whose personal data is transferred to the United States of the types of personal data transferred and, when applicable, the other entities or subsidiaries of the organization that are also adhering to the principles. Similarly, under Clause 8.2 (Transparency) of Module 1 of the SCCs , the data importer is responsible for providing individuals with specific information regarding the transfer, including the importer’s identity and contact details, as well as the categories of personal data processed.
Data subject rights requirements. Under the DPF’s 'Access’ principle, individuals have the right to obtain access to personal data about them, and they can also ask to correct, amend, or delete that data if it is inaccurate or if it has been processed in violation of the DPF’s principles. Similarly, under Clause 10(a) (Data Subject Rights) of Module 1 of the SCCs , the data importer must deal with any inquiries and requests it receives from individuals on the processing of their personal data and the exercise of the data protection rights awarded to them by the GDPR.
Redress/recourse requirements. The DPF’s ‘Recourse, Enforcement and Liability’ principle requires participating organizations to ensure that there are robust mechanisms for assuring compliance with the principles; recourse for individuals who are affected by noncompliance with the principles; and consequences for the organization when the principles are not followed. The mechanisms must include readily available independent recourse mechanisms for investigating and expeditiously resolving each individual’s complaints and disputes. The SCCs, on the other hand, contain their own set of redress requirements, notably under Clause 11 (Redress), which, for example, requires the data importer to inform individuals in a transparent and easily accessible format, through individual notice or on a website, of a contact point authorized to handle complaints. The data importer must also deal promptly with any complaints it receives from individuals whose personal data it has imported.
How Can Companies Make the Right Choice?
It is important to consider the substantial differences between the SCCs and the DPF. The following table highlights some of the differences to consider when choosing between the SCCs and the DPF.
Despite some underlying similarities between the DPF and the SCCs, there are important differences in the upfront investment required and the ongoing compliance burden. Companies seeking to choose between these transfer tools should consider each with an open mind, taking into account the above factors as well as other elements that may be material to the company’s particular circumstances and needs.