The EU-U.S. Data Privacy Framework (DPF) was adopted in July of 2023. It effectively replaced the now-invalidated Privacy Shield and helped give some clarity to U.S. companies who receive personal data from individuals located in the EU.
However, many legal experts and privacy advocates have cautioned that DPF certification is not a failsafe way to avoid legal issues under the GDPR. U.S.-based companies that host EU data in the U.S., even under the DPF, can still face complaints, investigations, or fines under the GDPR.
This article explores why and how businesses can still be sued or fined under the GDPR, even if they rely on the Data Privacy Framework (DPF) and what they can do to mitigate some of the risks.
- 1. What is the EU-U.S. Data Privacy Framework (DPF)?
- 2. What are Some Scenarios Where Businesses Using DPF May Face GDPR Complaints or Fines?
- 2.1. A Future Schrems III Legal Challenge That Invalidates the DPF
- 2.1.1. What Could Happen If Schrems III Succeeds?
- 2.2. Non-Compliance with DPF Principles
- 2.3. A DPF-Certified U.S. Company Violates GDPR Processing Rules
- 2.4. Data is Transferred to Non-DPF Entities
- 3. How Can You Mitigate Risk of Lawsuits While Using the DPF?
- 3.1. Don't Rely Solely on the DPF
- 3.2. Regularly Audit Your DPF Compliance
- 3.3. Monitor Schrems III and Other Legal Developments
- 3.4. Maintain GDPR-Compliant Data Processing Practices
- 4. Summary
What is the EU-U.S. Data Privacy Framework (DPF)?
The DPF is a transatlantic agreement that's designed to help make sure that personal data transferred from the EU to U.S. organizations certified under the DPF receives protections that are "essentially equivalent" to those provided under the GDPR.
Some of the key features of the DPF include:
- Binding safeguards that limit U.S. intelligence access to EU data to what is "necessary and proportionate" for national security purposes.
- A Data Protection Review Court (DPRC) to boost accountability
- Enhanced redress mechanisms: The DPRC offers an independent avenue for EU data subjects to address complaints about data misuse.
- Self-certification: U.S. companies under the jurisdiction of the Federal Trade Commission (FTC) or Department of Transportation (DOT) can self-certify compliance with DPF principles, such as notice, choice, data minimization, and security.
- Periodic reviews: The European Commission conducts annual reviews to ensure the DPF's effectiveness, with the first review completed in 2024.
The DPF enables certified U.S. companies to host EU data without additional safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). This helps to simplify compliance for transatlantic data flows.
The DPF does NOT do the following:
- Exempt companies from GDPR obligations
- Protect companies from local enforcement by EU supervisory authorities
- Guarantee immunity from private lawsuits by individuals or privacy NGOs
- Resolve all concerns regarding U.S. intelligence surveillance
What are Some Scenarios Where Businesses Using DPF May Face GDPR Complaints or Fines?
Despite the DPF's safeguards, several scenarios expose businesses to GDPR-related risks when hosting EU data in the United States. The following scenarios highlight vulnerabilities in the DPF and potential triggers for complaints or fines.
A Future Schrems III Legal Challenge That Invalidates the DPF
The DPF is already under scrutiny from privacy advocacy groups. Most notably, NOYB (None of Your Business), founded by Max Schrems, whose lawsuits led to the demise of Safe Harbor and Privacy Shield.
Max Schrems and NOYB have announced plans to challenge the DPF, arguing that it fails to address fundamental issues raised in Schrems I and II, particularly U.S. surveillance laws like Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. They argue that these do not go far enough to protect EU data from indiscriminate U.S. surveillance.
Schrems contends that the DPF is a "copy" of the Privacy Shield and lacks material changes to U.S. surveillance practices. Key concerns he has raised include:
- Insufficient redress: The DPRC's decisions are classified, which limits transparency and potentially undermines EU data subjects' ability to seek effective remedies.
- Proportionality gaps in surveillance: Critics argue that U.S. surveillance laws still permit bulk data collection of EU data, which they say does not align with GDPR's principles of necessity and proportionality.
- Fragility of executive orders: The DPF relies on Executive Order 14086, which could be repealed by a future U.S. administration. This creates uncertainty and isn't strong enough to rely on.
Example Scenario:
A European consumer whose data is transferred to a DPF-certified U.S. company files a complaint with a national DPA. The consumer alleges that their data is subject to excessive U.S. surveillance. NOYB escalates the case to the Court of Justice of the European Union (CJEU), which could suspend or invalidate the DPF, as occurred with Privacy Shield in Schrems II. Businesses relying solely on the DPF could face immediate compliance issues, including fines for unlawful data transfers.
Risk Mitigation Strategies:
- Maintain alternative transfer mechanisms as a fallback, even if not required to, such as SCCs or BCRs.
- Conduct Transfer Impact Assessments (TIAs) to evaluate U.S. surveillance risks, even for DPF-certified transfers.
- Monitor CJEU developments and prepare for a potential Schrems III ruling in the future.
What Could Happen If Schrems III Succeeds?
If Schrems III succeeds, the CJEU could invalidate the DPF. This would mean that companies relying exclusively on the DPF would be left without a legal transfer mechanism, potentially resulting in emergency suspension of transfers, fines from EU DPAs, and legal liability from affected individuals or NGOs.
Non-Compliance with DPF Principles
The DPF requires that U.S. companies publicly commit to be in compliance and annually recertify that they are. DPF certification also requires that U.S. companies adhere to principles that mirror the GDPR, such as data minimization, purpose limitation, and transparency. Failure to comply with this can lead to enforcement actions by the FTC or DPAs, as well as complaints from EU data subjects.
Some ways a company can fail to comply include not updating its Privacy Policy, or not complying with data subject access rights or dispute resolution procedures.
Example Scenario:
A DPF-certified U.S. company fails to update its Privacy Policy to reflect DPF principles. Or, it doesn't implement an adequate process for handling complaints from EU users. An EU user files a complaint with their national DPA, which investigates and finds violations. The DPA can impose a fine under the GDPR for inadequate data protection practices, even though the company is DPF-certified.
Risk Mitigation Strategies:
- Regularly audit your compliance with all DPF/GDPR principles, including Privacy Policy updates and compliant handling mechanisms.
- Designate a Chief Privacy Officer or similar role to oversee DPF compliance and respond to related inquiries.
- If you receive any complaints, promptly cooperate with the U.S. Department of Commerce and all EU DPAs to resolve the issues brought up in the complaints.
A DPF-Certified U.S. Company Violates GDPR Processing Rules
Even though adequacy decisions are issued by the European Commission, national data protection authorities (DPAs) retain the power to enforce the GDPR at the local level. Because of this, DPF certification does not shield companies from national enforcement of general GDPR principles.
This means that even if data is lawfully transferred to the U.S., how the company processes that data is still governed by the GDPR. DPF certification does not cover all processing activities that occur. It only applies to those related to the data transferred under the framework and even then, only if the processing is conducted lawfully.
Example Scenario:
A U.S. company receives data from an EU customer under DPF but fails to respect data minimization or purpose limitation. The company collects a lot of personal data, including sensitive personal data, which it processes without a valid legal basis (e.g., consent or legitimate interest). The company doesn't allow users to exercise their GDPR rights like access, erasure, or objection.
In this case, DPF protects the transfer, but the processing itself may violate the GDPR. EU supervisory authorities can still:
- Investigate and impose fines under the GDPR
- Order the deletion of data or suspension of processing it
Another Example Scenario:
After receiving a consumer complaint, a German DPA investigates a DPF-certified U.S. company that hosts EU data. The DPA determines that the company's data processing practices violate the GDPR's data minimization principle. The company may face fines and an order to cease processing, despite DPF certification.
Risk Mitigation Strategies:
- Ensure data processing aligns with GDPR principles, regardless of DPF status.
- Only collect personal data you truly need.
- Allow users to exercise their GDPR rights related to the personal data.
Data is Transferred to Non-DPF Entities
The DPF only applies to certified organizations. If a DPF-certified company transfers EU data to a non-certified U.S. affiliate or third party, GDPR compliance may be compromised. This would require the use of additional safeguards like SCCs.
Example Scenario:
A DPF-certified U.S.-based cloud service provider shares EU-based data with a subcontractor that isn't DPF certified. An EU data subject discovers this through a data access request and files a complaint with the French CNIL, alleging unlawful onward transfers. The CNIL fines the cloud service provider for failing to ensure GDPR-compliant onward transfers, even though the cloud service provider itself is DPF-certified.
Risk Mitigation Strategies:
- Map all onward transfers and ensure all of your subcontractors or third party partners are DPF-certified or bound by SCCs.
- Conduct TIAs for onward transfers to assess third-party compliance.
- Include contractual clauses requiring subcontractors to adhere to GDPR standards.
How Can You Mitigate Risk of Lawsuits While Using the DPF?
While we provided some risk mitigation strategies in each of the above scenarios, there are some additional, general things you can do to reduce the risk of GDPR complaints or fines while hosting EU data in the U.S. under the DPF.
Businesses should adopt the following best practices:
Don't Rely Solely on the DPF
Even if you're certified under the DPF, consider supplementing it with additional safeguards. This will keep you safer while the DPF is in place, and provide fallbacks in case the DPF goes away quickly.
- Use SCCs, BCRs and Data Processing Agreements (DPAs) for all non-DPF transfers of data, or as a fallback in case the DPF is legally challenged
- Conduct TIAs to assess and record risks, even for transfers done under your DPF certification. This will help you find any points of high risk and also demonstrate your due diligence.
- Use supplemental measures like encryption, tokenization, or anonymization to protect EU data from unauthorized access after it's in your hands.
Regularly Audit Your DPF Compliance
Even after you're certified under the DPF, you can't just set it and forget it. Take steps to regularly review aspects of DPF compliance and make sure you're still meeting your obligations.
- Conduct internal and third-party audits to ensure that you're always adhering to the latest DPF principles. And requirements.
- Regularly update your Privacy Policy to keep it current and accurate.
- Do an annual certification with the U.S. Department of Commerce.
Monitor Schrems III and Other Legal Developments
Stay up to date on the latest news and updates from the EDPB, CJEU, and NOYB to stay ahead of any changes that could affect the DPF and your compliance status. This will help you make changes ahead of time to ensure you stay compliant, no matter what way the law goes.
Maintain GDPR-Compliant Data Processing Practices
Make sure that you are familiar with the GDPR's requirements and that you adhere to them as required.
Ensure that:
- Data subject rights are respected
- Data collection and retention is limited
- Your implemented security measures meet GDPR standards
Summary
Hosting EU data in the U.S. under the DPF is legally permissible for certified organizations, but it does not eliminate all GDPR-related risks. Many scenarios could still lead to a business being sued under the GDPR, such as a Schrems III challenge, non-compliance with DPF principles, onward transfers of data to third parties that aren't certified, and political and legal instability.
By having robust safeguards in place, you can help mitigate much of the risks. Some risk mitigation practices include maintaining alternative transfer mechanisms even when certified under the DPF, monitoring legal developments, and making sure you maintain GDPR-compliant data processing practices. Doing these things will help your business minimize risks while still taking advantage of the DPF's benefits.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.