Transferring personal data between the EU and the US just got a little bit easier

Last month, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. The decision means that the European Commission is now satisfied that the US ensures an adequate level of protection (comparable to that of the EU) for personal data transferred from the EU to the US under the new framework.

There has been a lot of back and forth between the EU and the US over the last few years on this issue.

Seven years ago, the Court of Justice of the European Union (CJEU) ruled on the Schrems I case, which ultimately led to the downfall of the Safe Harbour network (the first framework that had been put in place to facilitate the free flow of personal data between the EU and the US).

The downfall of the Safe Harbour network gave rise to the EU-US Privacy Shield (the second framework that had been put in place to facilitate the free flow of personal data between the EU and the US). The EU-US Privacy Shield would only last for four years, before another complaint was made by Mr Schrems, which ultimately led to the CJEU invalidating that framework as well.

The new EU-US Data Privacy Framework is the third and current framework designed to facilitate the free flow of personal data between the EU and the US. It introduces new binding safeguards to address all the concerns raised by the CJEU in the Schrems cases, including: limiting access to EU personal data by US intelligence services to what is necessary and proportionate; establishing a Data Protection Review Court (DPRC) which EU data subjects will have access to; and introducing significant improvements compared to the mechanism that existed under the EU-US Privacy Shield (e.g. if the DPRC will be able to order the deletion of any personal data found to have been collected in violation of the new safeguards).

The practical implications of this change are for EU/EEA businesses are:

• EU/EEA companies can freely transfer personal data to US companies (provided they are certified under the new framework), without having to put in place additional data protection safeguards (such as standard contractual clauses or binding corporate rules). However, transfers by controllers to processors will still require a data processing contract, in compliance with Article 28 GDPR.
• As was the position under Safe Harbour and the Privacy Shield, the adequacy decision only applies to data transfers made under the new framework and not to any/all recipients of personal data in the US. Companies in the US can self-certify that they commit to complying with a detailed set of privacy principles set out in Annex I of the new framework.
• EU/EEA companies transferring personal data to the US under this new framework should still ensure that they update their internal data processing records, as well as their privacy policies/notices to inform data subjects that they are relying on the new framework as the legal basis for the transfer (where previously they may have been relying on standard contractual clauses, binding corporate rules or some other safeguard). EU/EEA companies should also verify that the relevant US company has actually self-certified under the new framework (a list of self-certified companies is available on the framework website).

A similar UK adequacy decision was expected to be adopted around the same time as the EU adequacy decision. This has yet to materialise, although the Department for Science, Innovation and Technology published a press release in June this year confirming that the UK and US have reached a commitment to establish the UK Extension to the Data Privacy Framework which will create a ‘data bridge’ between the 2 countries, and that further technical work will be undertaken in the coming months before a decision on the establishment of the data bridge is made. Watch this space …

Briffa are specialists in intellectual property, information technology and data protection law. If you need assistance with a data protection audit, preparing a commercial contract involving the transfer or handing of personal data and/or preparing a GDPR-compliant privacy policy, please do not hesitate to get in touch.