The new EU adequacy decision for the ‘EU-US Data Privacy Framework’

What It Means for Transatlantic Data Flows

International data transfers present difficult issues for businesses, particularly where personal data of individuals subject to the GDPR is transferred to the US.

Breaking news emerged on 10 July 2023, as the European Commission published a new adequacy decision for the EU-US Data Privacy Framework (the DPF).

Now, organisations self-certifying to the ‘DPF’ (a self-certification programme, much like the previous ‘EU-US Privacy Shield’) will be able to freely transfer personal data from the EU and EEA to the US without needing to implement additional measures, since the new DPF is now considered to provide ‘adequate protection’ for personal data flows.

This is a big topic and we expect a number of developments around it, but this legal update covers the key points for you to know now.

Please contact us if you’d like detailed advice on this subject and how it impacts your business.

What’s the background to this decision?

International data transfers are often extremely difficult and never entirely risk free and the EU and US carry out a large amount of international trade together, meaning the rules around transfers on personal data to the US are of vital importance.

For background, under the General Data Protection Regulation (GDPR) organisations must ensure that personal data is adequately protected when it is transferred outside of the EU.  Countries outside of the EU (such as the US) are deemed ‘third countries’ and international data transfer law rules apply. The GDPR requires recipients of personal data who are based outside of the EU to protect personal data of EU residents. See our article on this here.

If an ‘adequacy decision’ is granted by the EU, it means that personal data can freely be sent to a third country, as it deems that that country affords the same level of protection to personal data as is afforded to in the EU. Without an adequacy decision, organisations need to put in place ‘additional safeguards’ in order to transfer personal data to third countries, such as the commonly used ‘Standard Contractual Clauses’.

There has been a long and complex history of negotiations between the EU and the US on this subject and now a decision has been reached on the DPF. With this new framework, the US is deemed ‘adequate’ and businesses now have an alternative lawful method to transfer personal data from the EU to the US, if they sign up to the DPF. This decision is fundamental, as the Court of Justice of the European Union had invalidated the previous EU-US Privacy Shield (which had provided a legal framework for data transfers to the US) in the Schrems 2 ruling in July 2023. See our article on this.

The European Commission President Ursula von der Leyen stated as follows on this ground-breaking decision: 

The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.

The full decision is published here.

What are the key takeaways?

• Following this decision by the European Commission, the DPF is subject to an ‘adequacy decision’, meaning organisations can transfer personal data from the EU to US much more easily. The DPF is a self-certification program companies can sign up to, which stipulates various measures to safeguard personal data.

• The DPF requires various safeguards, for example – it adopts a redress mechanism to resolve complaints around concerns and access to personal data by US intelligence agencies, imposes obligations on companies self-certifying and requires them to monitor their compliance with its framework.

• Businesses will need to ‘self-certify’ to become part of the framework and remain certified to benefit from it. Where a business self-certifies, it must publicly commit to comply with various DPF ‘Principles’. The Federal Trade Commission will work to verify whether businesses are acting in compliance of these Principles.

• This is big news for businesses who process personal data about individuals in the EU and are US based and for businesses who work with US based service providers. This key decision will make transatlantic data flows easier, which will be welcome news given how complex a topic this is and how difficult compliance with the legal rules around international data transfers are in practice.

• For companies who are unable to self-certify, other default international data transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules will need to be used to cover transfers of personal data to the US.

What is the UK’s position on this?

A key point to note is that this decision will only apply for businesses transferring personal data from the EU to the US, as there has been no decision in the UK on this yet. UK businesses should continue to use the UK IDTA or UK Addendum to cover their data transfers – see our article on this.

Whilst this news concerns EU law only, it is expected that the UK will follow the decision and implement a similar adequacy decision. The UK government have discussed a ‘Data Bridge’ under UK law which will allow for the flows of personal data between the UK and the US. This decision is not finalised yet and these developments are still being assessed, but we hope that an agreement will be reached and will continue to monitor developments around it.

Next Steps

The future of this decision is uncertain, as many commentators expect a ‘Schrems 3’, since Max Schrems and his advocacy group ‘None Of Your Business’ have already mentioned challenging the decision.

We’ve already seen two decisions in the past struck down by the European courts following challenges from Max Schrems (the Safe Harbour and the Privacy Shield, mainly because of US intelligence agencies having access to personal data of EU data subjects). Therefore, there are already fears that this decision will be invalidated, however this remains to be seen.  For now, businesses should focus on getting to grips with the DPF since it is likely to remain in force for some time. Further, some commentators suggest keeping Standard Contractual Clauses in place as a ‘back up’ mechanism in case there are future issues with the DPF – please contact us if you’d like to discuss this.

What businesses need to do next depend on where they are based and what they do with transatlantic personal data transfers. Organisations who are subject to the GDPR and transfer personal data to the US should take various steps, such as checking if the US recipient of personal data is validly certified, ensuring their contractual arrangements reflect this and updating their policies and procedures to reflect the DPF where necessary.  

US businesses processing personal data of individuals in the EU should take several steps, including reviewing the DPF and considering self-certifying, updating their internal policies and procedures, and continuing to keep an eye out for developments in this fast-moving area.

These are general pointers however given the complexity and how new these developments are, it’s important to take legal advice on the next steps for your business and what you should do to protect it and ensure that your transatlantic data transfers are compliant with the GPDR rules.

Please note that this is a fast-developing area and the feedback in this guide is accurate as at July 2023.

This is a very complex and high-risk topic for businesses, so please contact us if you would like specific advice on this topic or on any aspects of GDPR compliance.