EU-US Data Privacy Framework

Compliance Guide for Trans-Atlantic Data Transfers

BERLIN HAMBURG MÜNCHEN

Contents

• What is the EU-US Data Privacy Framework?

• What Is the Legal Background of the DPF?
• Is There a Predecessor to the DPF?
• How Does the DPF Address the Shortcomings of the Privacy Shield?
• What About Signals Intelligence Activities?
• How Can US Companies Qualify under the DPF?
• What is the Self-Certification About?
• Is There an Automatism for Privacy Shield Certified Companies to Qualify under the DPF?
• How Do I Know That a Company Has Self-Certified Under the DPF?
• Do I Still Need a DPA When Transferring Data to DPF Certified Companies?
• What Else Should European Companies Do Right Now?
• Once Tech Giants Have Self-Certified, Will All Privacy Risks Disappear?
• How Does the DPF Protect Individuals?
• What If the Recourse Mechanism Does Not Work to the Individual‘s Satisfaction?
• Will the DPF Establish a Long-Lasting Data Transfer Mechanism?
• How Can Companies Prepare Themselves for a Potential Invalidation of the DPF?

GreenGate Partners | 2 BERLIN HAMBURG MÜNCHEN

What is the EU-US Data Privacy Framework?

The EU-US Data Privacy Framework (DPF) is a

new legal framework for data transfers
between the EU and US. After years of
negotiations between EU and US officials, the
EU Commission adopted a decision on 10 July
2023 to enact the DPF (C(2023) 4745).
The DPF includes a number of safeguards
and redress mechanisms to protect
individuals' rights and ensure that personal
data transferred from the EU to the US is
adequately protected, in line with the
requirements of Regulation (EU) 2016/679
(General Data Protection Regulation, GDPR).

GreenGate Partners | 3 BERLIN HAMBURG MÜNCHEN

What is the Legal Background of the DPF?

Art. 44 et seqq. of the GDPR aim to make sure

that European standards with respect to the
protection of personal data are respected
even if personal data are transferred to
countries outside the EU or the European
Economic Area. Data exporters remain
responsible for GDPR compliance and must
select one of a limited number of applicable
mechanisms to ensure an adequate level of
data protection. The swiftest way of doing so
is relying upon an EU Commission decision
(like the DPF) confirming such adequacy for a
given country (Art. 45 of the GDPR).

GreenGate Partners | 4 BERLIN HAMBURG MÜNCHEN

Is There a Predecessor to the DPF?

Yes! The EU Commission previously had

adopted an adequacy decision for the US, the
so called Privcacy Shield. However, the
Schrems II decision of the European Court of
Justice (ECJ, judgment of 16 July 2020 –
C-311/18) confirmed that US law did not
provide adequate protection for personal
data transferred from the EU to the US. The
ECJ found that US law did not ensure a level
of protection that is essentially equivalent to
the level of protection guaranteed by EU law,
particularly with respect to government
access to personal data. Hence, the ECJ
nullified the adequacy decision.

GreenGate Partners | 5 BERLIN HAMBURG MÜNCHEN

How Does the DPF Address the Shortcomings
of the Privacy Shield?

In light of the concerns raised by the Schrems II

decision, the Commission has taken steps to
ensure that personal data transferred from the
EU to the US is adequately protected. The DPF is
one such step, and it is designed to provide a
mechanism for the transfer of personal data
from the EU to the US while ensuring that the
data is adequately protected, and that
individuals' rights are respected. The DPF
includes a number of safeguards, including
independent recourse mechanisms and
oversight by EU data protection authorities, to
ensure that personal data transferred from the
EU to the US is adequately protected.

GreenGate Partners | 6 BERLIN HAMBURG MÜNCHEN

What About Signals Intelligence Activities?

What concerned the ECJ the most in the

Schrems II judgment were the signals
intelligence activities under FISA 702 and EO
12333. On 7 October 2022, the U.S. President
issued EO 14086 on Enhancing Safeguards for
United States Signals Intelligence setting
limitations and safeguards for all U.S. signals
intelligence activities. Safeguards such as
transparency, oversight, and accountability
requirements are designed to ensure that
signals intelligence activities are necessary
and proportionate in the pursuit of defined
national security objectives, and that
individuals' privacy rights are respected.

GreenGate Partners | 7 BERLIN HAMBURG MÜNCHEN

How Can US Companies Qualify under the
DPF?

As under the Privacy Shield, US companies

can self-certify to qualify under the DPF. The
self-certification process is voluntary, but it is
the only mechanism available for US
companies to receive personal data from the
EU under the DPF. If a US company does not
self-certify, it cannot receive personal data
from the EU under the DPF.
Once an organization has self-certified, its
certification remains valid for a period of one
year. After that, the organization must re-
certify to the DPF to maintain its certification.

GreenGate Partners | 8 BERLIN HAMBURG MÜNCHEN

What is the Self-Certification About?

To participate in the DPF, organizations must

self-certify that they meet the requirements of
the DPF. Annex V of the Commission decision
sets out the certification requirements for US
organizations that wish to self-certify under the
DPF. These requirements include a number of
obligations related to transparency,
accountability, and cooperation with EU data
protection authorities. Organizations must also
provide detailed information about their data
processing activities and must submit to
independent recourse mechanisms.
Dataprivacyframework.gov provides more
detailed information on the requirements and
the procedural aspects of self-certification.

GreenGate Partners | 9 BERLIN HAMBURG MÜNCHEN

Is There an Automatism for Privacy Shield
Certified Companies to Qualify under the DPF?

Yes! Many US companies (including Amazon

or Microsoft) kept their Privacy Shield
Certification and re-certified although it did
no longer suffice to establish GDPR
compliance. The US government implies that
these companies also want to commit
themselves to the DPF. Thus, US companies
with an existing Privacy Shield certification
are now listed as DPF certified.
The list is available online at
dataprivacyframework.gov, and European
companies may rely on it when assessing the
permissibility of a data transfer to the US.

GreenGate Partners | 10 BERLIN HAMBURG MÜNCHEN

How Do I Know That a Company Has Self-
Certified Under the DPF?

Like under the Privacy Shield, a list with all

organizations that have self-certified under
the DPF is available online. The US
government publishes, and regularly updates,
information on the validity of the DPF
certificates under dataprivacyframework.gov.
EU businesses may only rely on the DPF for
their data transfers, once and as long as a US
company appears on the list! Data exporters
should, therefore, check on an annual basis
whether the transferee of personal data in
the US duly re-certified.

GreenGate Partners | 11 BERLIN HAMBURG MÜNCHEN

Do I Still Need a DPA When Transferring Data
to DPF Certified Companies?

In many cases yes! Even if a US company has

self-certified and qualified for the DPF, GDPR
requirements with respect to signing DPAs
will remain applicable. The DPF solely
facilitates the transfer of data to the US but
the obligation to sign a controller-processor
DPA (Art. 28 of the GDPR) or a joint controller
agreement (Art. 26 of the GDPR) remain
entirely unaffected. The same applies to all
other GDPR obligations, including providing
information on data transfers to data
subjects (Art. 13, 14 of the GDPR).

GreenGate Partners | 12 BERLIN HAMBURG MÜNCHEN

What Else Should European Companies Do
Right Now?

If a data importer in the US appears on the

DPF list hosted by the Department of
Commerce, European companies should
review their documentation and, in particular,
update all privacy policies with respect to the
applicable data transfer mechanism.
Companies should also close monitor news
channels operated by their US business
partners which may provide updated versions
of DPAs or other useful information EU
businesses should (or even have to) keep for
documentation purposes.

GreenGate Partners | 13 BERLIN HAMBURG MÜNCHEN

Once Tech Giants Have Self-Certified, Will All
Privacy Risks Disappear?

Clearly not! Although risks associated with

data transfers to the US always played a
significant role for EU data protection
authorities and courts when criticizing certain
data processing tools like Google Analytics,
they were not the only concern. Shortcomings
with respect to transparency or data
minimization principles will still constitute
important concerns which cannot be
overcome by self-certifying under the DPF. EU
controllers should still carefully evaluate each
and every data processing activity for GDPR
compliance!

GreenGate Partners | 14 BERLIN HAMBURG MÜNCHEN

How Does the DPF Protect Individuals?

The DPF includes a number of redress

mechanisms to protect individuals' rights and
ensure that personal data transferred from
the EU to the US is adequately protected.
These mechanisms are designed to provide
individuals with effective administrative and
judicial redress in case of non-compliance by
EU-US DPF organizations. US organizations
must provide for effective and readily
available independent recourse mechanisms
by which each individual's complaints and
disputes can be investigated and
expeditiously resolved at no cost to the
individual.

GreenGate Partners | 15 BERLIN HAMBURG MÜNCHEN

What If the Recourse Mechanism Does Not
Work to the Individual‘s Satisfaction?

The independent recourse mechanism will

investigate complaints and make a decision
providing an effective remedy if necessary. The
decision of the independent recourse
mechanism is binding on the organization.
If an individual is not satisfied with the decision
of the independent recourse mechanism, they
may also have the right to seek judicial redress.
The DPF provides a number of avenues in the
US for EU data subjects to bring legal action
before an independent and impartial tribunal
with binding powers. These avenues allow
individuals to have access to their personal
data, to have the lawfulness of government
access to their data reviewed, and to have any
violations remedied, including through the
rectification or erasure of their personal data.

GreenGate Partners | 16 BERLIN HAMBURG MÜNCHEN

Will the DPF Establish a Long-Lasting Data
Transfer Mechanism?

Rigorous data protection non-profit

organizations have already announced to fight
the DPF. It may be that the ECJ will assess the
validity of the DPF in the upcoming years. In
addition, the Commission will perform reviews
of the DPF to verify whether all relevant
elements have been fully implemented and are
functioning effectively in practice. The
Commission will meet with various US
government departments and agencies involved
in the implementation of the DPF to perform
these reviews. The participation in this meeting
will be open to representatives of the members
of the European Data Protection Board.

GreenGate Partners | 17 BERLIN HAMBURG MÜNCHEN

How Can Companies Prepare Themselves for a
Potential Invalidation of the DPF?

Though the DPF offers confidence to EU

individuals that their data will be protected
and that they will have legal remedies to
address concerns related to their data,
companies may want to prepare for a
potential invalidation of the DPF by the ECJ or
repealing Commission decision. A proper
approach would be to include the EU
Standard Contractual Clauses as a fallback
option. This was a common practice under
the Privacy Shield and helped businesses to
continue data transfers when the ECJ nullified
the Privacy Shield in 2020.

GreenGate Partners | 18 BERLIN HAMBURG MÜNCHEN

Alexander Tribess
Attorney | Partner
Specialized Attorney for Information Technology Law
Specialized Attorney for Intellectual Property Law

Expertise
• IT Contract Law
• Data and Data Protection Law
• IT Procurement Law

Main Focus Areas

• Drafting and negotiating contractual/licensing terms for digital
business models
• Advice on data protection law, especially for digital business
models
• Support for corporate financing and restructuring in the area of
IT
• Legal advice in the area of artificial intelligence

T: +49 40 6077049-0 • Legal support for IT procurement procedures

alexander.tribess@greengate.legal

GreenGate Partners | 19 BERLIN HAMBURG MÜNCHEN

Our Team of Lawyers

Dr. Diethelm Baumann Ellen Bergmann, LL.M. Natalie Dessauer Constantin Forstner Dr. Jens Ginal

Paul Harloff Marian Münch, LL.M. Tobias Perchermeier Dr. Alexander Raif Dr. Sven Schilf

GreenGate Partners | 20 BERLIN HAMBURG MÜNCHEN

Our Team of Lawyers

Dr. Tobias Schönhaar, Dr. Leonie Singer, LL.M. Marc René Spitz, LL.M. Alexander Tribess Dr. Nikolaus Uhl, LL.M.
LL.M.

GreenGate Partners | 21 BERLIN HAMBURG MÜNCHEN

 GreenGate Partners
Excellence in progress

GreenGate Partners | 22 BERLIN HAMBURG MÜNCHEN