Existing data transfer mechanisms remain useful and can benefit from EU-US adequacy decision

Andre Walter of Pinsent Masons said that a transfer impact assessment (TIA) will still need to be carried out when relying on those mechanisms, but the new adequacy decision will help to streamline that process. This is because the safeguards provided for under the DPF, such as new limits on US authorities’ rights to access the data transferred, will apply to other transfer mechanisms such as standard contractual clauses (SCCs) too.

TIAs will not need to be carried out by businesses that self-certify against the DPF’s privacy principles. However other businesses seeking to rely on other data transfer mechanisms to export personal data to the US, such as SCCs, will still need to carry out TIAs, Walter said.

The DPF was formally endorsed by the European Commission in a so-called adequacy decision earlier this month. In issuing the adequacy decision, the Commission has considered that personal data transferred to the US in accordance with the DPF will benefit from data protection standards ‘essentially equivalent’ to those that apply in the EU – the threshold jurisdictions outside the European Economic Area (EEA) must meet to benefit from a Commission adequacy decision under the EU General Data Protection Regulation (GDPR).

The DPF is designed to facilitate the free flow of personal data across the Atlantic in support of cross-border business operations and trade, though only businesses subject to regulation by the US Federal Trade Commission or US Department of Transportation are eligible to self-certify under it.

The types of businesses that will not be able to rely on the DPF for EU-US data transfers include US financial services institutions and telecommunications companies. Walter said those businesses, and others that choose not to self-certify to the DPF, will need to continue using SCCs or other transfer mechanisms, and conduct TIAs to ensure their arrangements comply with the GDPR.

“The good news is that the Commission has confirmed that the safeguards underpinning the DPF ‘apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used’ and ‘facilitate the use of other tools, such as SCCs and binding corporate rules (BCRs)’. This will make the TIAs to the US a much easier exercise – the need for supplementary measures has decreased significantly,” he said.

“Moreover, there might be good business reasons to continue relying on SCCs and carry out TIAs, because organisations do so for transfers to other jurisdictions for inter-group transfers, or for transfers for the same contract or project anyway,” he said.

Walter said: “For businesses self-certifying under the DPF, no TIA needs to be carried out, and no supplementary measures require to be put in place either. This is because the transfer in question relies on an adequacy decision – and the European Commission has essentially undertaken the necessary assessment on behalf of the business”.

“The position is different for transfers to the US relying on SCCs or BCRs – a TIA should be carried out for those arrangements – but those TIAs will be much less of a headache than in the past. TIAs will continue to be necessary for transfers to other third countries relying on SCCs or BCRs. Relevant supplementary measures should be documented in those cases too,” he said.

For UK-US transfers, the UK and US are expected to make a new UK ‘data bridge’ - the new UK terminology for an adequacy decision – available shortly, and US organisations can sign up to the UK extension of the DPF on the DPF website in anticipation. However, UK-based data protection expert Rosie Nance highlighted that as this data bridge is not yet in place, a mechanism such as SCCs and a TIA will still be required for all transfers. 

“From a UK perspective, the Commission’s adequacy decision is positive news, as it paves the way for the UK decision,” she said.

“For the moment, the UK has not been named as a ‘qualifying state’ for the purposes of Executive Order 14086, which means UK data subjects do not yet have access to the redress mechanism put in place by the Executive Order. A TIA is still required, but organisations in scope for the UK GDPR are able to follow the ICO’s risk-based approach and assess whether the transfer significantly increases the risk to data subjects’ privacy and human rights,” she said.