Skip to content

The most important facts about the new agreement on data transfers between the EU and the US

On 10 July 2023, the EU Commission adopted a new adequacy decision for secure data transfers between the EU and the USA. The Trans-Atlantic Data Privacy Framework (TADPF) is thus the third attempt, after “Safe Harbor” and “Privacy Shield”, to make transatlantic data transfers as unbureaucratic as possible. Those interested in the genesis and the path to the TADPF will find interesting information here and here.

But we are looking ahead. What is important for practitioners to know?

  1. Effect of the TADPF

The TADPF is an adequacy decision within the meaning of Article 45 (1) of the GDPR. Accordingly, the US is once again considered a so-called safe third country under data protection law, with the consequence that no additional legitimisation instruments are required for data exports to recipients based in the states. Unlike other adequacy decisions, however, the TADPF has only limited effect. As with the predecessor Privacy Shield regime, the privileging effect of the TADPF applies only to those data recipients that have undergone a self-certification mechanism under which they agree to comply with a set of detailed data protection obligations. Companies that are certified according to the criteria of the TADPF will be listed at in the foreseeable future. The website is currently under construction.

To do: Data processors should check both existing contracts with data recipients in the States and new contracts to see whether they are certified data recipients. If this is not the case, alternative transfer instruments are still required (see now).

  1. The fate of the SCC (and TIA)

Data transfers to recipients in the US have been successively switched to standard contractual clauses (SCC) in the wake of the ECJ’s Schrems 2 ruling. The SCCs are regularly part of a data processing agreement (DPA). Most DPAs contain a validity or priority clause, according to which SCCs should only come into play if the country of destination of the data export is not classified as a safe third country. In these cases, certified data importers based in the US will switch to the TADPF quite quickly in the future without having to make any adjustments to the treaty.

To do: concluded DPAs should be examined to determine whether adjustments to the third-country transfer basis are necessary.

Nevertheless, completed SCCs and in particular the Transfer Impact Assessments TIAs, some of which have been painstakingly prepared, are not completely useless. SCCs continue to be needed both for those recipients in the US who have not submitted to the self-certification mechanism and those in all other regions of the world who are classified as not secure in terms of data protection law. On the other hand, I do not see the reserve function of the SCCs in the event of an all-too-surprising “end” to the TADPF, for various reasons.

To do: if the data recipients are based in the US and are not subject to the TADPF or are located in so-called non-secure third countries, SCCs must still be concluded as a rule.

  1. Further compliance obligations for data processors

If a third country transfer occurs in connection with data processing, it is not only this transfer itself that requires separate legitimisation. In these cases, data processors are subject to further compliance obligations, including in connection with data subjects’ rights.

To Do: The TADPF requires adjustments to this data protection law documentation. The most important are the following:

  • Adaptation of the data protection declaration (Art. 13, 14 GDPR)
    • Reference to the fact that the data processing involves a third country transfer,
    • Designation of the recipient,
    • Change of the transfer instrument from SCC to TADPF, if applicable
  • Adaptation of templates for the information of data subjects (Art. 15 para. 2 GDPR)
    • Conversion of the transfer instrument from SCC to TADPF, if applicable
  • Adaptation of the documented selection decision in the event of the use of processors (Art. 28 (1) GDPR)
    • Monitoring whether processors already used or to be used have submitted to the TADPF; but: if this is not the case, the use of the service provider is nevertheless not excluded per se
  • Adaptation of the information in the register of processing activities (Art. 30 GDPR)
    • Adaptation of the VVT entry pursuant to Art. 30 (1) (e) of the GDPR (documentation of appropriate safeguards in the case of third country transfers)
  • Adaptation of existing data protection impact assessments (Art. 35 GDPR)
    • in any case, if risks in connection with data transfers to recipients in the US are the main subject of the assessment
  1. Add-on: Impact on data processors based in Switzerland

In the past, Switzerland has always signed an agreement with the US independently of the EU. Just like the EU, Switzerland has been trying to conclude a Swiss-US Data Privacy Framework with the US for about 3 years. According to the Federal Data Protection Commissioner (FDPIC), once the EU-US Framework has been concluded, a conclusion of the Swiss-US Data Privacy Framework should be expected in a few months. According to Art. 16 para. 1 of the revised Data Protection Act (DPA), the Federal Council is responsible for determining that the legislation of a state in question guarantees adequate protection. The states with adequate data protection are listed in Annex 1 of the Data Protection Ordinance (DPA). Until the Swiss-US Data Privacy Framework is completed, there will be no change to Switzerland’s adequacy list and thus to the rating of the US as an insecure third country.