And here comes the first legal challenge to the EU-US DPF…
The EU-US Data Privacy Framework (the EU-US DPF, or “Privacy Shield II”) was agreed-upon and put in place earlier this year. This put in place an adequacy decision and framework that allows EU to US data transfers, and replaced the previous Privacy Shield framework that was invalidated as a result of “Schrems II”. Variations of this framework also cover UK to US and Swiss to US transfers. This was good news for companies and privacy professions alike, since it alleviated the need for TIAs and SCCs, and the tricky task of picking a defensible Article 49 derogation if needed.
Of course, it was only a matter of time before this got challenged again, and that just happened. A French MEP has filed challenges against the EU-US DPF on the familiar issue of US mass surveillance, but also that the notifications about the EU-US DPF were in English only. The Latter being a purely procedural issue.
There are many issues with this challenge, including whether the MEP has standing, and also the multiple years this challenge will take to traverse the legal system.
The takeaway from all of this is use the EU-US DPF to legalize your transfers, and make sure you understand and comply with the EU-US DPF Principles. Keep your options and fallbacks in place, so SCCs and Article 49 catch-alls, so you are not constantly chasing this changing landscape.