Data Privacy Framework (DPF): What Changes in the Use of American Solutions
After outlining the consequences of the Data Privacy Framework adoption by the commission on July 10, 2023, Pierre Eric Bénéteau, partner in the Analytics and Conversion practice, discusses the concrete changes in the use of American solutions such as Google Analytics, Adobe Analytics, and Facebook Ads.
The invalidation of the Privacy Shield in 2020 complicated the use of solutions provided by American companies for European businesses. These businesses had to regulate data transfers with new safeguards and comply with decisions from regulatory authorities, such as the CNIL’s decisions on Google Analytics issued in 2022.
The Data Privacy Framework, which came into effect in July 2023, simplifies the transfer of personal data from the European Union to the United States, with concrete consequences for the future use of American solutions.
Firstly, transfers of data to certified American organizations can now be made without specific restrictions. However, transfers to non-certified organizations still require appropriate safeguards in accordance with Article 46 of the GDPR.
Although the DPF facilitates transfers, uncertainty remains regarding its durability and the certified companies. It is therefore important to remain vigilant and retain additional measures that have been implemented if necessary.
Legal Implications of the Data Privacy Framework
The Data Privacy Framework (DPF) is a mechanism that facilitates the transfer of personal data from the European Union to organizations based in the United States listed on an official roster (introduction to this new framework here: Data Privacy Framework: What Are the Consequences? – Converteo).
Under this new framework, transfers no longer require the implementation of Standard Contractual Clauses (SCCs) or other transfer safeguards such as Binding Corporate Rules (BCRs) or Codes of Conduct, which were required following the invalidation of the Privacy Shield.
American companies (e.g., Google, Adobe, Meta, Microsoft, etc.) wishing to benefit from the DPF must demonstrate their compliance with the privacy protection principles outlined in the framework. To do so, they must submit a dossier to the Department of Commerce (DoC), which assesses their compliance.
These companies are only authorized to receive and process personal data of Europeans if and only if they are listed on the DPF certified entities list. The current list of companies is available here: Data Privacy Framework Participant Search.
Companies previously certified under the Privacy Shield seeking to obtain DPF certification must comply with the DPF requirements by October 10, 2023.
Organizations will need to renew their certification annually.
In cases of non-compliance, the DoC has the authority to remove certain companies from the list. European businesses may still use the services of a company removed from the list, but they will no longer be able to use the DPF to regulate data transfers. They will then need to implement other safeguards such as Standard Contractual Clauses or anonymization mechanisms like proxying to ensure the same level of data protection for EU citizens.
Certified vs. Non-Certified Providers: Action Plans for Each Scenario
If the provider of your solution is listed on the DPF, it can receive and process personal data from Europeans. The use of this tool no longer requires the implementation of other appropriate transfer safeguards.
For example, Google, originally certified under the Privacy Shield on September 22, 2016, is set to achieve new certification by September 14, 2023.
Certified companies must specify the scope of their certification. For instance, Google states that its certification covers Google LLC and all its wholly-owned U.S. subsidiaries. This certification encompasses all Google tools: Google Analytics, Google Workspace, etc.
Adobe, originally certified on June 6, 2017, has announced a certification date of November 10, 2023, applicable to all data processing activities, including those related to providing online products and services and performing customer support activities.
Conversely, if the company that provides the solution is not on the DPF list, it is necessary to regulate the data transfer, for example, by signing Standard Contractual Clauses (SCCs).
In addition to implementing appropriate safeguards, the invalidation of the Privacy Shield required European companies to analyze the legislation of the recipient country to ensure an adequate level of protection for the data.
With the DPF, data transfers conducted under the DPF no longer require this prior analysis. Companies using other transfer safeguards can simplify their analysis by relying on the conclusions of the European Commission. Indeed, the safeguards established by the U.S. government in the field of national security (including the redress mechanism) apply to all data transferred to the United States, regardless of the transfer tool used.
In the Face of Uncertainties, One Attitude: Stay Vigilant
Although the new EU-U.S. data protection framework (DPF) came into effect in July 2023, uncertainties remain.
The DPF will be reassessed one year after its implementation by European bodies to ensure its full application and practical effectiveness. This decision will then be reviewed at regular intervals, at least every four years. The decision has already faced criticism, particularly due to its similarity to the Privacy Shield and the retention of the FISA 702 regulation, which poses risks. Additionally, any U.S. company can be removed from the list at any time in case of non-compliance, making transfers to such companies illegal without additional safeguards.
Given these uncertainties, companies are advised to remain actively vigilant regarding the conditions for transferring and processing data of EU nationals. They should maintain robust governance around personal data and deploy flexible data collection and processing architectures (such as data anonymization) to better adapt to any potential new contexts.