On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF allows transfers of personal data between EEA based organisations and US companies participating in the DPF, without the requirement for additional measures such as the use of standard contractual clauses (SCCs).
The DPF requires participating US companies to self-certify adherence to the "EU-US Data Privacy Framework Principles" (DPF Principles) on an annual basis. The DPF Principles broadly reflect the requirements of the GDPR: for example, concerning security, transparency and data subject rights, and those principles are intended to provide data subjects with a level of protection comparable to that given by EU law when their personal data is transferred to the United States.
The history of EU-US data transfer frameworks
To date, the legal framework for transfers between the EU and the USA has been uncertain to say the least. The original data sharing framework, known as "Safe Harbor" was invalidated in 2015 following a case brought by privacy campaigner Max Schrems against Facebook, in which the European court held that the US legal system failed to offer sufficient protections to personal data transferred from the EU. The Safe Harbor regime was replaced by the "Privacy Shield" framework in 2016, which was itself invalidated in 2020 by the CJEU decision in the Schrems II case, with the European court again citing concerns about access to personal data by US intelligence agencies. We wrote about those CJEU decisions here and here.
Following the Schrems II judgment, organisations transferring personal data from the EU to the US needed to rely on the SCCs, binding corporate rules, or the GDPR's narrow 'derogations' to ensure the lawful transfer of personal data to America. However, the use of SCCs became more complex and burdensome because the Schrems II decision required organisations to assess the laws and practices in the destination country to confirm that they would not undermine the effectiveness of the SCCs. As such, since Schrems II, data exporters and data importers have been preparing "data transfer impact assessments" following guidance published by the European Data Protection Board and the ICO, in order to document the assessment of laws and practices in the US (and elsewhere).
What's different here and will the DPF be challenged?
Notably, the DPF limits the access by US government intelligence agencies to the personal data of European individuals to that which is "necessary and proportionate". There is also an independent redress mechanism designed to handle and resolve complaints from European data subjects concerning the collection of their data for national security purposes.
While these are key differences between the DPF and the previous transatlantic data frameworks, it is still possible that the validity of the DPF will be challenged (and indeed Max Schrems has already announced his intention to do so, as seen here). For now, though, the European Commission is confident that the DPF adequately addresses the CJEU's concerns from the previous Schrems litigation. The new adequacy decision requires the European Commission to review the DPF periodically (the first review shall be completed by July 2024) to verify whether its requirements have been successfully implemented.
What about UK-US data transfers?
While the DPF only applies to EU-US transfers of personal data, it also provides the basis for a similar UK-US data transfer framework to be agreed. Indeed, the UK and US governments have already agreed in principle the establishment of such a framework as part of their broader economic partnership, which was announced on 8 June 2023 as the "Atlantic Declaration". The UK Government's announcement of what it calls a "data bridge" between the UK and the US highlights that the proposed UK-US framework is subject to: further technical work in the coming months, the UK's own assessment of the data bridge (hopefully resulting in an adequacy decision and the passing of UK adequacy regulations for the new mechanism), and the US designating the UK as a "qualifying state" under Executive Order 14086 (as the US has already done for the EU, paving the way for the DPF to be made).
Given that the DPF is now up and running, with an adequacy decision from the European Commission and with Executive Order 14086 limiting the scope of data collection by US intelligence agencies, providing oversight of their processing, and creating a redress mechanism for individuals, EU organisations now have a relatively hassle-free mechanism for transferring personal data to US organisations which have certified for the DPF. There will be a period of waiting while US companies do go through the necessary steps to certify for the DPF scheme, and there is also significant political pressure to ensure that the UK framework follows quickly.
In the meantime, UK exporters may feel more relaxed about transferring data to US companies that have self-certified under the DPF and agreed to the DPF Principles, although they will still need to use the ICO's Transfer Risk Assessment tool and, in most cases, they will still need to put in place either the ICO's bespoke International Data Transfer Agreement (IDTA) or the SCCs with the UK's IDTA Addendum to provide a contractual mechanism for transatlantic data transfers.
The challenge for UK lawmakers and policy teams will be to design a UK-US "data bridge" that is not significantly more or less stringent than the DPF (to avoid creating administrative burden or confusion for US data importers and the US government) and which does not undermine the European Commission's adequacy decision in respect of the UK itself (ie regarding transfers of personal data from the EU to the UK), which is due to be reviewed by the EU in 2024, resulting in a decision on whether to extend that adequacy decision for the UK or to let it expire in June 2025.
Please do get in touch with us if you require advice on international data transfers.
Originally published 21.07.2023
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.