European Commission adopts EU-US adequacy decision
Long-awaited mechanism for allowing personal data to be transferred from EU to US has finally arrived
On 10 July 2023 the European Commission announced that it has adopted an adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”).
This development will enable the transfer of personal data from the EU to the US without the need for additional safeguards (such as the EU’s standard contractual clauses or SCCs). It comes about after the previous regime (Privacy Shield) was declared invalid by the courts in the 2022 Schrems II decision, and changes to intelligence-gathering in the States (the US authorities are required to given greater consideration to necessity and proportionality when gathering information). Given how many organisations are touched by the trans-Atlantic flow of personal data, thanks to the use of cloud technology, this news is likely to be widely welcomed.
The DPF introduces new safeguards for personal data transferred from the EU to the US, importantly including a limitation on the ability of US intelligence services to access to EU data, so that only essential data can be accessed.
New mechanisms have been introduced for EU individuals to use where they are concerned about the transfer of their personal data to the US. These include a Data Protection Review Court (“DPRC”) which will be able to investigate complaints raised by EU individuals.
US companies will be able to join the DPF by self-certifying with the US Department of Commerce that they comply with a set of privacy obligations, in particular a US company must have a suitable privacy policy that conforms with the DPF and identify a recourse mechanism (for complaints). Once a company self-certifies it must comply immediately with the DPF privacy obligations and to be able to continue relying on the DPF the company must repeat the self-certification on an annual basis. Companies that previously transferred data using the Privacy Shield should be able to move to the new regime quite easily.
EU organisations planning to export personal data to the US will be able to check, via the Department of Commerce’s website for the DPF, whether the US organisation it plans to transfer personal data to has the benefit of the DPF (and thereby enabling personal data to be transferred without the need for additional safeguards such as the SCCs).
The DPF will be reviewed annually, the first review is set to take place in July 2024, a year after its introduction.
What about the UK?
This decision is likely to influence the proposed UK Extension to the Data Privacy Framework which will control the flow between the UK and US. US organisations who self-certify under the DPF in relation to data transfers from the EU to the US will be able to self-certify for a UK extension (to also cover transfers from the UK to the US). However, for companies wishing to transfer personal data from the UK to the US only, a comparable adequacy decision is still awaited.
All in all, the DPF offers a more flexible approach for transferring personal data from the EU to US and although there is likely to be criticisms surrounding its introduction, the additional protections which were not part of the Privacy Shield should still ensure a safer process and facilitate data transfers.
