Compliant international personal data transfers from the EU to the US just got a whole lot easier. On 10th July the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework.
The EU-US Data Privacy Framework is a transfer mechanism which allows personal data to flow between corporate entities in the US and the EU. The adequacy decision means that the European Commission has analysed the Framework and decreed that it provides a comparable level of protection for personal data compared to the protection given by GDPR.
The EU Commission has found that data transferred to companies located in the United States which have joined the DPF is subject to a standard of protection which is essentially equivalent to that of the European Union.
The EU-US Data Privacy Framework is a self-certification programme which US entities can sign up to. It requires those entities to comply with specific data protection principles which are enforceable under U.S. law.
What does this mean for EU businesses?
The adequacy decision means that EU entities can transfer personal data to companies in the US which are participating in the Framework without having to put in place any additional contractual safeguards. This will reduce the level of contractual documentation required for compliant personal data transfers from the EU to the US.
Previously when transferring personal data to the US, EU entities had to use appropriate safeguards (e.g. Standard Contractual Clauses or Binding Corporate Rules) AND carry out a transfer risk assessment (to check whether data subjects of the data being transferred would continue to enjoy an equivalent level of protection as that provided by EU data protection laws). Administratively, this was (and still will be) quite a heavy compliance burden in terms of analysing all the relevant risks involved in the data transfer as well as putting the correct contractual documentation in place.
When EU entities are transferring personal data to US entities that are not signed up to the EU-US Data Privacy Framework, the requirement for appropriate safeguards and a transfer risk assessment remains.
How about UK businesses?
At the moment, UK businesses transferring personal data to the US cannot benefit from this new mechanism. However, the UK and US have made a commitment in principle to establish a “data bridge” which will take the form of an extension to the EU-US Data Privacy Framework, so we expect that this will become effective before too long.
Other points to note
In order to obtain the adequacy decision for the EU-US Data Privacy Framework, the US government had to put in new safeguards for EU personal data in relation to US public authorities’ access to and use of such data. In October 2022, President Biden signed an Executive Order which provided safeguards to US intelligence agency activities in relation to personal data (e.g. limiting access to such data to when it is necessary and proportionate for national security, increasing oversight of surveillance activities and establishing a redress mechanism for complaints in relation to access to personal data).
EU businesses that use personal data transfer mechanisms other than the EU-US Data Privacy Framework (like Standard Contractual Clauses and Binding Corporate Rules) will benefit from these new safeguards because it will be easier to conclude in the sections of Transfer Impact Assessments which consider public authority access to personal data that EU requirements are met.
Unfortunately, there is also a question mark over how long the EU-US Data Privacy Framework will remain a compliant data transfer mechanism. This is because the Framework is likely to be challenged in the EU courts by an organisation called NOYB and Max Schrems. They argue that the EU-US Data Privacy Framework does not go far enough to address US surveillance activities in relation to EU personal data nor does it provide effective legal redress for data subjects
Navigating compliant international data transfers is complicated and putting in place incorrectly drafted international data transfer contracts may expose your business to potential liability to customers and individuals as well as data protection regulators.
Here at ClaydenLaw we have been helping many clients get their data transfer compliance picture correct. If you would like us to help you as well, please contact us here for a complementary 30 minute International Data Transfer Consultation.
For more information on the relevant areas mentioned in this case study, please click below: