SaaS Agreements – Data Protection: EU-US Data Privacy Framework (DPF)

In July 2023 the EU-US Data Privacy Framework, (DPF) was finally agreed between the EU and the USA. The DPF now provides a new transfer mechanism for SaaS suppliers and SaaS customers to use when transferring EU personal data to the USA. The DPF can be used instead of EU standard contractual clauses.

This means that all transfers of EU personal data made to US companies certified under the DPF by SaaS companies will be deemed to be to a third country that has adequate data protection laws.

What is the DPF

The DPF is an opt-in certification scheme that can be used by organisations located in the USA to enable EU personal data to be lawfully transferred to the USA. The DPF is enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC).

The DPF contains enforceable principles and requirements that must be certified to, and complied with, in order for a US organisation to be able to join the DPF. These principles take the form of commitments to data protection and govern how US organisations use, collect and disclose personal data.

The DPF has been in force since the 10th of July and US entities can apply to be certified on the DPF website.

Once a US organisation has been certified and is publicly placed on the DPF List they can receive EU personal data through the DPF.

Which US organisations can certify under the DPF?

Only US organisations subject to the jurisdiction of the FTC or the DoT are currently eligible to participate in the DPF program. Those US organisations not subject to the jurisdiction of either the FTC or DoT — for example, banking, insurance, and telecommunications companies — are unable to participate in the DPF program at this time.

Data excluded from transfers under the DPF

Journalistic data defined by Supplemental Principle 2(b) of the DPF is not subject to the requirements of the DPF. Therefore, such data cannot be transferred under the DPF.

Rules applicable to special category data

Special category and sensitive data can be shared with US organisations under the DPF.

EU special category/sensitive personal data

This covers personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual are considered sensitive information under the DPF. US organisations under the DPF are also required to treat as sensitive any information received which has been identified and previously been treated as sensitive by the organisation sharing the information.

EU Standard Contractual Clauses

Once a US entity is certified under the DPF there is no longer any legal requirement for SaaS suppliers or SaaS customers to:

  • use EU standard contractual clauses to make transfers of personal data; or
  • carry out Schrems II data transfer assessments; or
  • check that additional safeguards are in place to protect the personal data transferred;

as such transfers will be deemed to be to an entity located in a third country that has adequate data protection laws.

However, if a SaaS company cannot rely on the DPF to transfer EU personal data to the US for any reason, they will need to continue using EU standard contractual clauses or Binding Corporate Rules (BCRs) for such transfers to the USA. The requirement to carry out Schrems II data transfer assessments in addition will also continue.

What about Switzerland?

The Swiss Data Protection Authority is currently finalising the provisions of a parallel framework between Switzerland and the USA (The Swiss-US Data Privacy Framework). However, until the new Swiss-US Data Privacy Framework is finalized, Switzerland’s adequacy list will remain unchanged. Pursuant to the new Swiss Data Protection Act of the 1st of September 2023 the Swiss Federal Council has authority to decide on the adequacy of states and it will be up to the Swiss Federal Council to determine whether the USA can be added to the list in due course.

How to check registration under the DPF

SaaS suppliers should check that the recipient of the EU personal data is certified with the DPF. Certification can be checked on the DPF website.

It is important to check that the US organisation has signed up to both:

  • the DPF; and
  • the UK Extension to the EU-US Data Privacy Framework.

If any HR data will be transferred to the US organization:

  • the certification of the US organisation on the DPF website must highlight this; and
  • there must be a link in the company’s certification on the DPF website to the relevant privacy policy or policies (for HR data and/or non-HR data) under the “Privacy Policy” section of the record.

Actions to be taken now

Where SaaS companies transfer any EU personal data to their group companies, affiliates, customers, suppliers or sub-processors located in the USA they will need to update their legal documentation to reflect these changes.

Where a transfer of EU personal data is made to a member of a group company or affiliate located in the USA they will need to:

  • apply for the US entity to be certified under the DPF;
  • amend the group company or affiliate’s privacy policy to include the mandatory information required under the certification rules;
  • amend intercompany data processing agreements to reflect the new transfer mechanism.

Where a transfer of EU personal data is made to a customer, supplier or sub-processor located in the USA they will need to:

to reflect the changes in the transfer mechanisms relied upon.

Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

To register for my newsletter click here