On 10th July 2023, the European Commission granted an adequacy decision for the US under the EU-US Data Privacy Framework (“EU-US DPF”). To read more, visit: Joint Statement on Trans-Atlantic Data Privacy Framework (europa.eu). This long-awaited decision is welcomed by organisations from both sides of the pond. In this article, we take a look at what the decision means for the transfer of personal data across the Atlantic.
What is the EU-US DPF?
The EU-US DPF is a self-certification programme that American organisations can sign up to and rely on for the safe transfer of personal data from the EU to the US without the need for additional safeguards. Under this programme, members are required to confirm that they will comply with certain data protection principles which are very similar to those applied under the former Privacy Shield, such as data minimisation, purpose limitation, sharing of data and security. To support the programme, the US President, Joe Biden, signed an Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities” and a regulation issued by the Attorney General, the effect of which is that access to EU personal data by US intelligence agencies will be restricted what is “necessary and proportionate” and a new redress scheme to handle complaints from Europeans will be introduced.
The scheme is being administered by the International Trade Administration (“ITA”) within the U.S. Department of Commerce (“DoC”). Organisations need to renew their registration annually and the DoC will monitor compliance by carrying out spot checks and targeted audits. Those organisations that have continued with the Privacy Shield framework will be able seamlessly transition to the new DPF scheme.
Why was the EU-US Data Protection Framework needed?
Chapter V of the General Data Protection Regulation (“GDPR”) provides that if personal data is to be transferred from the EU to a third country, it must be afforded an essentially equivalent level of protection as that guaranteed in the EU. Such protection can be via an adequacy decision under Article 45 of the GDPR and the new EU-US DPF falls into this category.
In terms of previous adequacy decisions for the US, back in 2000 Safe Harbour was introduced. Much like the EU-US DPF, this was a self-certification scheme that American organisations could sign up to and, providing they adhered to the Safe Harbour requirements, they were deemed to be “adequate”. This meant that personal data could be transferred to them from the EU without any additional safeguards. However, the outcome of Schrems I, in 2015, was that the Court of Justice of the European Union (“CJEU”) found Safe Harbour to be invalid. Therefore, in 2016, the alternative scheme, Privacy Shield, was introduced but the CJEU also found this to be invalid in Schrems II in July 2020. Consequently, there was a void, meaning personal data could no longer freely flow from the EU to the US. The new EU-US DPF is the mechanism to fill that void.
What should EU organisations do now?
- Decide whether, as a matter of principle, you wish to rely on the EU-US DPF as a transfer mechanism, as it is not a legal requirement to use the EU-US DPF and you may still use a different transfer mechanism, such as the SCCs or Binding Corporate Rules, if you wish.
- If you do wish to rely on the EU-US DPF, search the register to ensure that the organisation you are transferring personal data to has been certified under the scheme.
- If the organisation to which you wish to transfer personal data is registered, you may lawfully proceed with the transfer without implementing any further safeguards. For example, a Transfer Risk Assessment (“TIA”) will not be required and Standard Contractual Clauses (“SCCs”) will not be needed either. However, as each organisation must renew its registration once a year, be sure to make a diary note to check the position again before the expiry of the registration, to ensure there is no interruption to the flow of data.
- If you decide not to rely on the EU-US DPF, you will need to decide what alternative transfer mechanism is suitable. The most commonly used mechanism is the SCCs and if using this method of transfer, a TIA will need to be carried out in accordance with clause 14 of the SCCs. That said, your TIA can include references to the relevant changes in the US that reduce the risks to personal data.
What about the UK?
The EU-US DPF has a UK-US Extension which will be suitable for situations in which the data includes UK personal data, as well as EU data. This will operate in a similar way to which the IDT Addendum operates with the new EU SCCs. However, the UK-US Data Bridge (for transfers from the UK to the US) needs to be implemented first. This is expected shortly.
What about Switzerland?
There is also a Swiss–US DPF and this will be suitable for transfers from Switzerland to the US but the Swiss government needs to confirm the adequacy status of the US first. This is expected shortly.
What does the future hold – could there be a Schrems III?
The privacy activist, Max Schrems has already criticised the EU-US DPF. In his view, the programme is not adequate because it is largely a copy of the former Privacy Shield with only minor improvements that do not sufficiently address the problems. In particular, he considers that:
- Whilst the Executive Order 14086 provides that any surveillance needs to be “proportionate”, he considers that the US will simply assign a different definition to this word than that used by the CJEU;
- Whilst the new redress scheme is a slight improvement on the previous Privacy Shield Ombudsperson scheme, the newly formed “Data Protection Review Court” is not really a court and the procedure is flawed;
- Non-US persons will not have constitutional rights in the US which means that any violation of their privacy rights is not covered under the 4th
For further detail see European Commission gives EU-US data transfers third round at CJEU (noyb.eu)
The above suggests that we may see a Schrems III in the not-too-distant future!
Do you need guidance on international data transfers?
Should you need any assistance in relation to international transfers of personal data, please get in touch, we would be glad to help.
Evalian DPO/GDPR Services - Find Out More
For information on how we process your personal data when you contact us, please see our Privacy Notice.