Following the Schrems II judgment, the EU-US Privacy Shield was declared invalid, meaning that SaaS suppliers and SaaS customers have to use standard contractual clauses (SCS) or BCRs when making transfers of EEA (or UK) personal data to the USA. In addition, SaaS customers and SaaS suppliers are required to carry out a data transfer impact assessment (DTIA) prior to transferring any personal data from the EEA or UK to a “third country” i.e. the USA.
New US Adequacy Decision
In December 2022, the European Commission published its draft adequacy decision for the new EU-US Data Privacy Framework (DPF). If the European Data Protection Board (EDPB), the EU Member States and the European Parliament approve the DPF, the USA will be granted adequacy by the EU Commission and SCCs and BCRs will no longer be required for transfers of EEA personal data to the USA.
The final adequacy decision of the EU Commission is expected to be made by July 2023.
Similar to the EU-US Privacy Shield, companies in the USA can choose to join the DPF and must commit to certain privacy obligations.
Unlike the EU-US Privacy Shield, the DPF now:
- limits access to EEA personal data by US intelligence agencies to what is necessary and proportionate; and
- provides an independent and impartial complaints mechanism and a Data Protection Review Court.
UK Adequacy Decision
The UK government intends to grant its own adequacy decision for the USA. However, it is likely that the content of a UK adequacy decision may differ from the EU’s adequacy decision.
In light of recent comments made by Max Schrems on the DPF, it is very likely that Mr Schrems will challenge the validity of the DPF in the European Court of Justice on the basis that:
- the US Data Protection Review Court does not adequately protect data subject’s rights; and
- the scope of permitted surveillance by US authorities under the DPF is too wide.
If the DPF is challenged, any UK – US adequacy decision would probably also be challenged.
Advantages of using the DPF
If the DPF is granted “adequacy” by the European Commission, SaaS suppliers and SaaS customers can use the DPF instead of relying upon SCCs or BCRs. Furthermore, as the DPF will be recognised in the EU as a lawfully valid transfer mechanism for transfers of personal data to the USA (until declared otherwise by the ECJ). This means that there will be no need for SaaS suppliers and SaaS customers to carry out any data transfer impact assessments (DTIA) in addition.
A legal challenge to any EU-US adequacy decision would probably take a couple of years to be resolved, meaning once in place, the DPF can be used as a valid transfer mechanism for transfers to the USA in the near future, provided that an adequacy decision is issued by the EU Commission.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here