Better to be safe than sorry: Our Guidance
The current state of EU-US relations also affects data protection. US President Trump’s actions do not reflect an interest in strengthening the existing legal framework – quite the opposite. This would impact corporate data protection. Now is the time to prepare for possible changes.
What is the current cause for concern?
Executive orders issued by Trump’s predecessor are currently under review, including orders on which the EU-U.S. Data Privacy Framework (TADPF) is largely based.
In addition, members of an independent US supervisory body, which is jointly responsible for compliance with the TADPF have been dismissed.
An announcement that (data protection) fines against US companies will be considered black mail and the options of (additional) tariffs and other countermeasures will be kept open also strengthens this concern.
If these plans are implemented by the US government, the EU Commission or the European Court of Justice might have no choice but to repeal the EU-U.S. Data Privacy Framework. With this a frequently used legal basis for data transfers to the US would disappear, presumably without a transition period.
What does this mean for your company?
Transfers of personal data to the US requires an additional legal basis to ensure an adequate level of data protection by EU standards. The most accessible options currently are:
- concluding EU standard contractual clauses (SCC)
- or self-certification of US data recipients under the TADPF
If the TADPF is invalidated (as was the case years ago with its predecessors Privacy Shield and Safe Harbor), a gap would arise, and all data transfers based on it would be unlawful.
What can you do to prepare?
- Identify data transfers to the US which are based on TADPF alone. Your (hopefully well-managed) documentation of data transfers in foxondo will help you with this.
- Request that your contracting partner signs EU standard contractual clauses with you for these transfers.
Where the contractual partner is unwilling to accommodate “individual customer requests” the company might consider changing service providers. Service providers from the EU must automatically comply with the high data protection standards of the GDPR. You can get an overview of alternatives for digital services and cloud products here, for example: https://european-alternatives.eu/
And if the TADPF is invalidated? EU-SCCs will provide a legal basis for the transfer of personal data. But the European Court of Justice has for some time now required an additional risk assessment to be carried out for these transfers. A Transfer Impact Assessment (TIA) must accompany all EU-SCCs. Additionally, this TIA must be created or re-evaluated if the Data Privacy Framework is no longer applicable.
Summary:
Keep an eye on data protection at US companies. Insofar as data transfers are based on the EU-US Data Privacy Framework, check whether EU standard contractual clauses can be concluded as well.