covered by the certification, verify their compliance and designate an independent recourse mechanism as well as the statutory body empowered to enforce compli- ance with the Principles. 4. Monitoring and enforcement The DOC will monitor compliance with the Framework and carry out random spot checks as well as investigate potential compliance issues, such as when reported to the DOC by third parties. Organisations that persistent- ly fail to comply with the Principles will be removed from the Framework List and must return or delete the personal data received under the Framework. 5. Other data transfer mechanisms The EC also clarified in its Q&A on the Framework that the new safeguards that were put in place under Executive Order 14086 apply to all data transfers to the U.S. The new safeguards thus facilitate other data trans- fer mechanisms, such as transfers based on standard contractual clauses (SCCs) and binding corporate rules. Organizations will have to update their Transfer Impact Assessments in light of the new U.S. safeguards. An update of the SCCs will usually not be required. 6. What’s next? Schrems III?: Max Schrems has already announced that he plans to challenge the Framework. Despite the EC’s adequacy decision, there is no legal certainty as to whe- ther the Framework will survive a challenge before the CJEU. It could be invalidated, like its two predecessors, or be upheld as an adequate mechanism, as is the case with the standard contractual clauses and binding cor- porate rules. Given the nearly 100% likelihood of a challenge to the Framework, organisations may wish to take a wait and see approach. Alternatively, eligible or- ganisations may self-certify so that they may benefit from unencumbered transatlantic data transfers. Either way the next step is critical. Choose the appropriate mechanism: Organisations involved in data transfers to the U.S. should assess what is their preferred and most appropriate data transfer mechanism. For some organizations a certification for the Framework in the U.S. will be best; others might prefer relying on the SCCs plus the new U.S. safeguards. For EU data exporters: EU data exporters should check their agreements with U.S. data importers and request information on whether current data transfer mechanism will continue to be used going forward and whether there will be changes to any subprocessors or onward transfers. Further, EU data exporters must pre- INTERNATIONAL PERSPECTIVE • REPORT pare to update their transfer impact assessments and, if the data transfer mechanism is changed to the Frame- work, amend privacy policies/notices, records of pro- cessing activities, and information in cookie consent tools. Data exporters should also check if tools or solu- tions that could not be used in the past due to data transfers issues may now safely be used. For U.S. data importers: U.S. data importers should be prepared for questions from their EU data exporters about exploring a change from their existing the data transfer mechanism to the Framework. The FTC is ex- pected to publish requirements and procedures in the next few days on: www.dataprivacyframework.gov/s/program-overview 7. Outlook It is certainly good news that the EC has issued its ade- quacy decision in relation to the Framework and has done so earlier than expected. Further good news is that EU organizations will have fewer obstacles when doing business with U.S. organizations. It should also provide renewed confidence for U.S. organizations that receive transfers of personal data from their EU-based subsidiary and affliates. That good news must be tempered, how- ever, given Schrems’ upcoming challenge to the Frame- work, as it will be up to the CJEU to determine whether Biden’s Executive Order 14086 and the respective safe- guards are enough to survive the challenge. If we were inclined towards betting, we would, together with the US and EC, back the Framework as being here to stay. Cynthia O’Donoghue specialises in technology transactions, data, cyber security and new and innovative uses of digital and smart tech. Cynthia’s practice includes advice on product development and user experience, outsourcing, licensing, digital transformation, e-commerce, cloud, apps and smart technology, block- chain and AI, particularly FinTech, mHealth and social media. Asélle Ibraimova is counsel based in the London office. Aselle advises on data transfer solutions, representing both data controllers and processors, data breach and cybersecurity incident responses, and data commercialization and product launches. She also advises on technology transactions and complex outsourcing arrangements. Dr. Andreas Splittgerber is a partner in the Munich office and member of the Tech & Data group. Andreas specializes in IT law, data protection and privacy, cyber security, social media law and internet law (Germany and EU). He is pas- sionate about technology and privacy and a thought-leader when it comes to legally evaluating new technologies (e.g. internet of things, artificial intelligence). Christian Leuthner is a partner based in Frankfurt. Christian is a trusted advisor to clients seeking help to navigate the ever-changing risk landscape associated with technological development. He advises on all aspects of IT and data protec- tion law, including cloud computing, online platforms, international data trans- fers, technology transactions, company integrations and various e-commerce-re- lated projects. Friederike Wilde-Detmering is an associate in the Munich office and member of the Tech & Data Group. She specialises in all aspects of IT law, data protection and commercial law including outsourcing, eCommerce, social media, mobile apps, AI and IoT. She places a special focus on all matters related to digital farming / agriculture 4.0. Sven Schonhofen is a senior associate in the Munich office and member of the Tech & Data Group. Sven focuses his work on legal matters that involve data protection, IT, commercial, internet, social media, e-commerce, IP, and unfair competition law. Vol. 34 • M&A REVIEW 2023 • PEMACOM 2023 37