News and Publications

EU Commission adopts adequacy decision on data transfers under the EU-US Data Privacy Framework

Posted: 17/07/2023

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, having concluded that the United States ensures an adequate level of data protection - comparable to that of the EU - for personal data transferred to US companies participating in the framework. The decision allows for the transfer of personal data from the EU to such US companies, without the need to put in place the EU standard contractual clauses (EU SCCs) or another GDPR safeguard.

The adequacy decision follows the United States' signature of an executive order on ‘Enhancing Safeguards for United States Signals Intelligence Activities', which introduced new binding safeguards to address the points raised by the Court of Justice of the European Union in its Schrems II decision of July 2020. These safeguards aim to ensure that data can be accessed by US intelligence agencies only to the extent that is necessary and proportionate. The executive order also states that the US will establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.

The adequacy decision entered into force on 10 July 2023. There is no time limitation, but the European Commission will continuously monitor developments in the United States and regularly review the adequacy decision. Legal challenges to the framework are expected, similar to those that impacted the Privacy Shield. The non-governmental organisation, NOYB, led by privacy activist Max Schrems, has already indicated that it will be challenging the new framework at the Court of Justice of the European Union. The European Commission, however, has stated that it is very confident in the new framework and will defend it if challenged. 

What does this mean for EU to US data flows?

As a result of this adequacy decision, personal data can flow freely from the EU to US organisations that self-certify their participation in the framework and commit to comply with a set of privacy obligations. Such obligations include privacy principles such as purpose limitation, data minimisation and data retention, data security and data sharing.

The framework provides EU individuals whose data is transferred to participating US companies with rights to obtain access to their data, and obtain correction or deletion of incorrect or unlawfully handled data, for example. In addition, it offers various redress avenues if data is wrongly handled, including independent dispute resolution mechanisms (which are free of charge) and an arbitration panel.

How can US companies certify under the framework?

The US Department of Commerce will process applications for certification under the framework and monitor whether participating companies continue to meet the certification requirements. Compliance by US companies with their obligations under the framework will be enforced by the US Federal Trade Commission.

Further details about the scheme and the application process will be set out on the Department’s Data Privacy Framework website, which is due to launch on 17 July 2023. Companies that self-certified under the EU-US Privacy Shield, which preceded the framework, must now comply with the framework principles, including by updating their privacy policy by 10 October 2023. Such companies do not need to make a new application to participate in the framework and may begin immediately relying on it to receive personal data from the EU. Any company that self-certified under the EU-US Privacy Shield but does not wish to participate in the framework will need to complete the scheme’s withdrawal process. 

What about transfers to US companies that are not certified?

The EU SCCs or another safeguard will still be needed for EU transfers to US organisations that are not certified under the framework. A data transfer impact assessment (DTIA) should also be carried out. Existing DTIAs for transfers to the US should be updated to take account of recent changes in US surveillance laws, including those set out in the new executive order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’.

As previously flagged in our updates, any data transfer agreements relying on the old EU SCCs for transfers from the EU must be updated with the new EU SCCs published by the European Commission on 4 June 2021 (the deadline to update was 27 December 2022). 

What about UK to US data flows?

On 8 June 2023, and as discussed in our previous update, US President Joe Biden and UK Prime Minister Rishi Sunak announced that the US and UK had reached a commitment in principle to establish a UK/US ‘data bridge’ between the two countries, which will be an extension of the EU-US Data Privacy Framework. US companies may apply to participate in the UK extension from 17 July 2023 when the Data Privacy Framework website launches, but will not be able to rely on it to receive personal data from the UK until the UK’s adequacy regulations implementing the new UK/US data bridge enter into force.

This is expected to happen later this year. Once such regulations are in force, the data bridge will act as a UK adequacy decision and data will be able to flow freely from the UK to US organisations that certify under the UK extension to the framework.

For transfers from the UK to US organisations that are not certified under the UK extension to the framework, a safeguard will still be needed, such as the UK international data transfer agreement (IDTA) or, where EU SCCs are used, the UK international data transfer addendum. In these circumstances, a DTIA should also be carried out. Any data transfer agreements relying on old EU SCCs for transfers from the UK must be updated by 23 March 2024. 

How we can help

We have considerable experience in advising our clients on international data transfers and all other aspects of data protection law. We can provide template contracts; help negotiate contracts; and provide end to end management of repapering projects. We also regularly assist with preparing DTIAs for the US and other key jurisdictions.

If you would like to discuss your organisation’s international data transfers, please get in touch with your usual Penningtons Manches Cooper contact or Joanne Vengadesan or Anna Frankum.

Arrow GIFReturn to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.

Penningtons Manches Cooper LLP