The American dream has come true for EU businesses that export personal data to the US
The European Commission (EC) has taken a decision that will have positive and significant effects for businesses that transfer personal data from the EU to the US. The decision also has welcome implications for transferring data from the UK to that territory.
On 10 July 2023, the EC adopted an adequacy decision for transfers of personal data from the EU to the US under the EU/US Data Privacy Framework (the DPF).
The DPF provides a new basis for the flow of personal data from the EU to the US, at least for exports of such data to recipients in the US that self-certify under the new framework.
This decision is significant for international commerce between the EU and the US, due to the volume of personal data that is transferred between the two territories.
- The GDPR includes a restriction on the transfer of personal data from the EU to “non-adequate” destination territories. However, the GDPR also permits the EC to decide that third countries provide an “adequate” level of protection for personal data imported into those territories.
- Where a third country is “adequate”, the exporting organisation does not need to apply additional safeguards to the transferred data to render the transfer lawful under GDPR.
- Prior to July 2020, it was possible for organisations to transfer personal data from the EU to the US in a lawful manner under the GDPR by using the EU/US Privacy Shield scheme. However, the European Court of Justice (CJEU) invalidated this scheme in its seismic “Schrems II” decision of July 2020, citing particular concerns around the access to transferred data by US governmental agencies.
- Since Schrems II, businesses transferring personal data from the EU/UK to the US have had to apply safeguards to those transfers (such as Standard Contractual Clauses/SCCs) and prepare transfer risk assessments (TIAs). This has given many businesses an administrative and legal headache.
- Since Schrems II, the US has made important changes to the way its agencies access and collect personal data for intelligence purposes. The EC has therefore decided that the DPF is adequate for the purposes of legitimising transfers of data between the EU and US.
- To join the DPF, a US organisation must do the following:
- Identify an independent recourse mechanism.
- Self-certify with the US Department of Commerce via its website.
- This news will be welcomed by businesses that transfer personal data from locations in the EU to the US. Parties to such transfers will not need to prepare additional safeguards or TIAs regarding transfers covered by the DPF going forward.
- However, businesses should take note that the DPF:
- Only applies to those US organisations that certify under it.
- Is subject to periodic review by the EC, European Data Protection Authorities and competent authorities. It is also open to challenge before the European Courts (as the Privacy Shield was in Schrems II).
- If you are proposing to transfer personal data from the EU to the US, you should check whether the US importer is certified under the DPF and that the proposed transfer would be covered by that certification. You might also need to update your privacy notice(s) to reflect that you transfer data internationally under the DPF scheme.
- The DPF retains some similarities with its Privacy Shield predecessor. If you are a US business and were certified under the Privacy Shield scheme, you should be in a good starting position to self-certify under the DPF.
- Lastly, the adoption of the DPF bodes well for the introduction of a UK to US “data bridge”, which would serve to extend the DPF to transfers of personal data from the UK to the US. We discuss this topic in more detail in our article “A (Data) Bridge to….the US: How the EU’s American Dream Will Extend to the UK” elsewhere in this newsletter.
Read the other topical articles from our Summer Data Protection Update:
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
‘Doing the right thing’ is at the heart of Freeths. Find out more about our excellent client service and the strong set of values that guide the way we work.
Talk to us
Freeths are a leading national law firm with 13 offices across the UK. If you have a query about our services or just want to find out more, why not give us a call?
Contact: 03301 001 014