Posted: 09/11/2022
On Friday 7 October 2022, President Joe Biden signed an executive order to implement the new EU-US Data Privacy Framework announced in March. The framework aims to address concerns raised by the Court of Justice of the European Union (CJEU) in Schrems II, that led the CJEU to invalidate the EU’s adequacy decision for the EU-US Privacy Shield. Now that the executive order has been signed, the European Commission will prepare a new draft adequacy decision in relation to the US, and then launch its adoption procedure.
This is a positive development for organisations transferring personal data from the EU to the US that, since Schrems II, have needed to use an alternative mechanism to the Privacy Shield, such as standard contractual clauses (SCCs), and also conduct data transfer impact assessments (DTIAs).
Once the European Commission has adopted the final adequacy decision, expected in March 2023, data will be able to flow freely from the EU to US companies that are certified under the new Privacy Shield framework, which will be called the EU-US Data Privacy Protection Framework.
Organisations not certified under the new framework will still need SCCs and DTIAs. However, as the EU has agreed with the US that the safeguards set out in the framework will be available for all transfers to the US, regardless of which transfer tool is used, conducting DTIAs for the US should be easier.
Although the new EU-US Data Privacy Framework does not apply to transfers from the UK to the US, the UK and US governments did issue a joint statement (also on Friday 7 October) highlighting the progress made towards a US adequacy assessment by the UK and welcoming the release of the executive order. The UK intends to conclude its work on the new UK-US adequacy arrangement and lay the necessary regulations before Parliament in early 2023.
Until an adequacy decision is adopted by the EU Commission, for EU to US transfers, and adequacy regulations are passed by UK Parliament, for UK to US transfers, organisations will continue to need appropriate safeguards such as the new EU SCCs, for EU to US transfers, or the new UK , for UK to US transfers; and, in both cases, conduct DTIAs.
Importantly, any data transfer agreement relying on the old EU SCCs for transfers from the EU must be updated with the new EU SCCs by 27 December 2022.
The above developments only relate to the US, so data transfers to other countries will still need a safeguard such as the SCCs – except countries in the EEA, or which benefit from a UK/EU adequacy decision.
We have considerable experience in advising our clients on all aspects of data protection law. We can provide template contracts, help negotiate contracts and provide end to end management of repapering projects. We also regularly assist with preparing DTIAs for the US and other key jurisdictions.
If you would like to discuss your organisation’s international data transfers, please get in touch with your usual Penningtons Manches Cooper contact, or Joanne Vengadesan or Anna Frankum.
Email Joanne
+44 (0)118 402 3833
Email Anna
+44 (0)20 7457 3205
© 2024 Penningtons Manches Cooper LLP.
All rights reserved.
Website design by Frontmedia / Dynamic Pear
Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.
Return to news headlines