Authors: Tomos Lewis and Ben Wilson
The European Commission adopted a new adequacy decision regarding the EU-US Data Privacy Framework (“DPF”) on 10 July 2023. The DPF will allow the transfer of EU personal data to US companies which are certified under the DPF without any additional restrictions.
BACKGROUND
The Court of Justice of the European Union (“CJEU”) heard “Schrems I” in 2015. Max Schrems argued that Facebook’s transfer of personal data from the EU to the US violated European data protection laws because the US did not provide an adequate level of protection for personal data. The case primarily focused on the Safe Harbor framework in place at the time, which was an agreement between the EU and the US allowing the transfer of personal data. In October 2015, the CJEU invalidated the Safe Harbor Framework for not adequately protecting the privacy rights of EU citizens.
In June 2016, the US and EU agreed a replacement framework – the “EU-US Privacy Shield” which was a data protection agreement between the EU and the US, which similarly aimed to facilitate the transfer of personal data between the two regions by ensuring an adequate level of protection.
The Schrems II case followed its predecessor and was heard by the CJEU in July 2020. This case considered the EU-US Privacy Shield, The court ruled that the Privacy Shield did not offer adequate safeguards for EU citizens’ personal data due to concerns regarding US surveillance practices and the lack of effective remedies for EU individuals. This decision meant that the Privacy Shield could no longer be relied upon as a legal basis for transferring personal data from the EU to the US.
Following the invalidation of the Privacy Shield, EU personal data could only be transferred to the US if additional safeguards were in place. One of the most common mechanisms is the use of Standard Contractual Clauses (SCCs), which are detailed contractual clauses approved by the European Commission that provide data protection safeguards. The organisation exporting the data would also need to undertake a transfer risk assessment prior to the transfer of data. The process is time consuming and costly which would deter organisations from beginning the process and organisations in the EU have faced frustration in implementing transfers to the US.
THE ADEQUACY DECISION
The decision of the European Commission means personal data can now be transferred from the EU to US organisations that certify themselves under the DPF, provided there are no other data transfer mechanisms in place. The US Department of Commerce will process applications and monitor compliance with the privacy obligations that organisations must comply with under the DPF.
If transferring to a DPF certified organisation, the EU data exporter will no longer be required to carry out a transfer risk assessment. The adequacy decision and the DPF has quickened the process and reduced costs for the parties – there is no need to enter the SCCs with the US organisation or carry out a risk assessment, this streamlined process is undoubtedly welcomed by both EU and US organisations alike.
DOES THIS APPLY TO THE UK?
No. This agreement is between the EU and the US and the UK are not a party. Currently, UK organisations wishing to transfer personal data to the US would need to agree alternative transfer mechanisms, such as the SCCs.
However, the UK and the US have reached a commitment in principle to establish a UK extension to the DPF, which will create a ‘data bridge’ between the UK and the US. The data bridge is not currently in force, but once finalised the US companies which are certified under the DPF will be able to receive UK personal data under the new data bridge.
Finalising the data bridge was noted as a key deliverable for 2023 in the US-UK Comprehensive Dialogue on Technology and Data. The UK-US data bridge, when finalised, would constitute a UK-issued adequacy decision.
It should be noted that notwithstanding the establishment of any such data bridge, organisations will still need to have a lawful basis to transfer the personal data as well document the arrangements that they have in place with the entities in the US with whom they share their personal data (such as a data processing or data sharing agreement).
We will be closely monitoring any developments and shall provide any updates on our website in due course.
Should you have any queries regarding data protection, please contact our specialist data protection team here.