On 10 July 2023, the European Commission adopted a new adequacy decision on the EU – US Data Privacy Framework (the Framework), which will impact how personal data is transferred between the EU and the US.
Previously, to transfer personal data from the EU to the US, the parties were required to put appropriate safeguards in place in order to transfer personal data lawfully. The most common safeguards included entering into a contract containing EU standard contractual clauses (SCCs) after carrying out a transfer risk assessment.
However, the new adequacy decision means that, personal data can flow freely and safely from the EU to the US without any further conditions or authorisations provided the US recipient has registered under the Framework. Please note that this only applies to transfers of personal data from the EU and does not currently apply to transfers of personal data from the UK, as following Brexit, the UK operates under a separate data protection regime.
What is an adequacy decision?
This is a formal decision by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does, allowing for personal data to be freely transferred from the EU to that country, territory, sector or international organisation. Prior to the Framework, personal data transfers from the EU to the US did not benefit from an adequacy decision, which meant that alternative safeguards were required.
What about the previous EU – US Privacy Shield?
The EU – US Privacy Shield was previously in effect until it was overruled by the European Court of Justice (ECJ) on 16 July 2020 in the Schrems II decision. The ECJ found that US intelligence services' surveillance programs went beyond what was necessary and proportionate and therefore did not meet the data protection standards of the EU. For more information on this decision, see here. Since Schrems II, transfers of personal data from the UK and the EU to the US have required appropriate safeguards as outlined above.
How does the new EU – US Privacy Framework work?
This new EU – US Privacy Framework seeks to remedy the concerns previously raised by the ECJ. In particular, it seeks to limit access by US intelligence authorities to EU data to what is proportionate and necessary to protect US national security.
The Framework also looks to introduce a new Data Protection Review Court which will have the power to order the deletion of data if it turns out such data has been collected in breach of the new safeguards. EU data subjects will be able to file complaints, free of charge, before their local data protection authority without having to show that their data has been accessed by US intelligence agencies.
The European Commission will regularly review the Framework to ensure it is being implemented correctly and working effectively.
Does this cover transfers of personal data to all US organisations?
No, it only covers transfers of data to US companies which have actively signed up to participate in the Framework. US organisations looking to rely on the Framework will have to self-certify their compliance with the standards through the US Department of Commerce. There will be a website where you can check whether a US organisation is registered.
If the US organisation is not shown on the register, the transfer will need to rely on the appropriate safeguards that are currently in place, such as the SCCs.
Is this it now for transfers of data to the US?
Not quite. Concerns about the validity of new framework have already been raised by NOYB, the organisation that challenged and brought the case in respect of the previous EU – US Privacy Shield. This means that it is likely that a legal challenge will be brought against the new Framework.
For this reason, some organisations may find it prudent to continue using the current appropriate safeguards for any transfers of personal data from the EU to the US.
What is the current position for transfers of data from the UK to the US?
The UK is currently in negotiations with the US, and we expect the UK will follow in the EU's footsteps soon and implement its own adequacy decision with the US. However, for the time being, this is not the case.
To transfer data from the UK to the US, you will most likely need to have in place either (i) an international data transfer agreement (the IDTA) with the US organisation or (ii) the international data transfer addendum (the Addendum) along with the EU SCCs incorporated into your agreement with the US organisation. Similar to the EU position pre-Framework, you will also have to carry out a transfer risk assessment prior to putting in place the IDTA or the Addendum. Whether you implement the IDTA or the Addendum will depend on the nature of your data relationship with the US organisation, i.e. controller-to-controller, controller-to-processor etc.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.