Will the EU-U.S. Data Privacy Framework soon be cancelled?
The Trans-Atlantic Data Privacy Framework (TADPF) is a legal basis for data transfers to the USA. US President Trump is currently having numerous executive orders from his predecessor reviewed, including those on which the EU-U.S. Data Privacy Framework (TADPF) is largely based. What should you do now?
Transatlantic data protection may be facing a new challenge: under US President Trump, the existing legal framework is being weakened rather than strengthened. This can be seen, among other things, from the fact that he has initiated a review of executive orders issued by his predecessor in office and has dismissed members of a supervisory body that is jointly responsible for compliance with the TADPF.
What does it mean if the TADPF is cancelled as a legal basis?
To date, there are two main ways of transferring personal data to the USA in a legally compliant manner:
Conclusion of EU standard contractual clauses (SCC): A tried and tested method of agreeing an appropriate level of data protection between contractual partners.
Self-certification in accordance with the TADPF: Data exchange with US companies that declare themselves to be compliant with EU data protection standards also fulfils the requirements.
Should the TADPF become invalid, all data transfers based on it would be unlawful (as was already the case with its predecessors Privacy Shield and Safe Harbour). This means that companies would then have to act quickly in order to remain GDPR-compliant.
It is unclear how likely this case is. However, companies could already consider the possible consequences and prepare alternative solutions.
How can well-maintained data protection documentation support you in this?
With foxondo you can prepare this case quickly and efficiently:
1. Identification of affected contracts
By filtering for the tags ‘third country’ + ‘legal basis’, you can easily find the relevant places in foxondo and thus identify those data processing operations in your documentation that are based on the TADPF.
You could, for example, mark these questions with the status ‘in progress’ or ‘action required’ and enter a comment that a changeover to SCCs is being examined.
2. Checking and adapting contractual bases
Check whether you can conclude EU standard contractual clauses with your service providers.
Important: Do not forget to document this change in foxondo accordingly.
3. Transfer Impact Assessment (TIA)
If a changeover to SCCs is possible, the Transfer Impact Assessment (TIA), in which the risks of data transfers to the USA are to be assessed, must be recreated. This also applies if the TADPF is cancelled.
The best way to do this is to contact your data protection officer or get in touch with us: we will be happy to support you.
Is there another alternative?
If a change of service provider is an option for you, it is best to choose a provider from the EU. You can find an overview of alternatives for digital services and cloud products here, for example: https://european-alternatives.eu/de
Do you have any questions?
Then please get in touch with us at info@foxondo.com.