On 10 July 2023, the European Commission published the long-awaited
adequacy decision for the Trans-Atlantic Data Privacy Framework between the EU and the USA (“TADPF”). For businesses, this means that the issue of “US data transfers” should now ease somewhat – but what exactly are they required to do now?
In this newsletter, we would like to provide you with some information and further tips on how to approach the TADPF. In particular, we will look at the requirement to specify a so-called “independent recourse mechanism”.
What advantages do companies have with the new adequacy decision?
Following the fall of the “Privacy Shield” due to the “Schrems II” ruling of the European Court of Justice in 2020, European businesses had to apply other measures from the GDPR catalogue to be able to transfer personal data to service providers in the United States in a legally compliant manner. In particular, the EU Standard Contractual Clauses (“SCCs”) together with additional security measures were the means of choice in this situation. However, their conclusion with US service providers resulted in considerable additional work, particularly in the form of the mandatory implementation of a Transfer Impact Assessment (“TIA”). In addition, data protection authorities and courts continued to find cases in which the data transfers still violated the GDPR, i.e. despite the SCCs and security measures implemented. One example is the case brought by the Swedish data protection supervisory authority IMY against several companies over the use of Google Analytics, which we also discussed in our newsletter.
European businesses now have the option of refering to the new adequacy decision when transferring personal data to US service providers and partners if they are certified under the TADPF. SCCs (and therefore also TIAs) are then no longer mandatory for these data transfers. This considerably simplifies the data protection compliance measures required for EU-US data transfers.
We are a European company. What do we need to do?
As a European company, i.e. with an exclusive registered office in Europe, you simply cannot certify yourself under the TADPF – nor do you have to; certification is only intended for US-based companies.
However, it is advisable that you contact your US service providers and ask them to certify themselves under the TADPF if they have not already done so. Only when all your US service providers and partners are registered, it is ensured that the respective data transfers to the United States are covered by the GDPR adequacy decision. Otherwise, further measures such as SCCs with additional security measures are required to be able to carry out the data transfers.
We are an American company. What are we required to do?
As a US company, certification under the TADPF is not mandatory, but it is an advantage, as many European businesses will insist on the certification of their US-based service providers and partners to benefit from the simplified compliance structure for data transfers to the US. Being certified, US businesses can meet this requirement and subsequently hope for stronger European demand for their services.
Obtaining certification is actually not difficult: First, you need to register on the official TADPF website. Once a company account has been created, the application for certification can simply be submitted online. To do this, companies must complete the application form with the required information and then submit the application.
Further information about the TADPF and the certification process can be found in the TADPF information section. A two-part guide is also published there, which explains the measures required to join the TADPF step-by-step. To speed up the certification application, the necessary information can be compiled in advance.
What is the “Independent Recourse Mechanism”?
As part of the application, an “Independent Recourse Mechanism” is required, to which the applicant company must submit to a certain extent. This is necessary so that data subjects from Europe have a point of contact in the USA that they can turn to if, for example, they have not received any information from the company about the processing of their data. The background to this is that data subjects would otherwise have no opportunity to assert their data subject rights in an American court – one of the reasons why the Privacy Shield was declared invalid in 2020.
Data controllers can – if the data to be transferred is not strictly HR data – choose between specifying a so-called “Dispute Resolution Body” (“DRB”) as a third-party service provider or the (applicable) European data protection authorities.
What options are there?
A list of the available DRBs is displayed during the application process – but without further information on the individual providers. To make your search easier, we have listed the available DRBs below.
You can choose between 9 different private providers, which can be specified as “Independent Recourse Mechanism” in the certification application – if you decide against the alternative of having the corresponding procedures handled by the European data protection authorities, as mentioned above:
1. Insights Association DPF Services Program
2. PrivacyTrust DPF Services
3. BBB National Programs DPF Services
4. ANA DPF Dispute Resolution
5. ICDR-AAA DPF IRM Service
6. JAMS
7. TRUSTe Dispute Resolution (jetzt: TrustArc)
8. VeraSafe DPF Dispute Resolution Program
9. Privacy Dispute Resolution Services (PDRS)
With our experience in advising US businesses on all GDPR-related issues, we will be happy to support you in getting your company certified under the TADPF.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)