On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, having concluded that the United States ensures an adequate level of data protection - comparable to that of the EU - for personal data transferred to US companies participating in the framework. The decision allows for the transfer of personal data from the EU to such US companies, without the need to put in place the EU standard contractual clauses (EU SCCs) or another GDPR safeguard.
The adequacy decision follows the United States' signature of an executive order on ‘Enhancing Safeguards for United States Signals Intelligence Activities', which introduced new binding safeguards to address the points raised by the Court of Justice of the European Union in its Schrems II decision of July 2020. These safeguards aim to ensure that data can be accessed by US intelligence agencies only to the extent that is necessary and proportionate. The executive order also states that the US will establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.
The adequacy decision entered into force on 10 July 2023. There is no time limitation, but the European Commission will continuously monitor developments in the United States and regularly review the adequacy decision. Legal challenges to the framework are expected, similar to those that impacted the Privacy Shield. The non-governmental organisation, NOYB, led by privacy activist Max Schrems, has already indicated that it will be challenging the new framework at the Court of Justice of the European Union. The European Commission, however, has stated that it is very confident in the new framework and will defend it if challenged.
As a result of this adequacy decision, personal data can flow freely from the EU to US organisations that self-certify their participation in the framework and commit to comply with a set of privacy obligations. Such obligations include privacy principles such as purpose limitation, data minimisation and data retention, data security and data sharing.
The framework provides EU individuals whose data is transferred to participating US companies with rights to obtain access to their data, and obtain correction or deletion of incorrect or unlawfully handled data, for example. In addition, it offers various redress avenues if data is wrongly handled, including independent dispute resolution mechanisms (which are free of charge) and an arbitration panel.
The US Department of Commerce will process applications for certification under the framework and monitor whether participating companies continue to meet the certification requirements. Compliance by US companies with their obligations under the framework will be enforced by the US Federal Trade Commission.
The EU SCCs or another safeguard will still be needed for EU transfers to US organisations that are not certified under the framework. A data transfer impact assessment (DTIA) should also be carried out. Existing DTIAs for transfers to the US should be updated to take account of recent changes in US surveillance laws, including those set out in the new executive order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’.
As previously flagged in our updates, any data transfer agreements relying on the old EU SCCs for transfers from the EU must be updated with the new EU SCCs published by the European Commission on 4 June 2021 (the deadline to update was 27 December 2022). For further information, see our SCC toolkit.
On 8 June 2023, and as discussed in our previous update, US President Joe Biden and UK Prime Minister Rishi Sunak announced that the US and UK had reached a commitment in principle to establish a UK/US ‘data bridge’ between the two countries, which will be an extension of the EU-US Data Privacy Framework. US companies may apply to participate in the UK extension from 17 July 2023 when the Data Privacy Framework website launches, but will not be able to rely on it to receive personal data from the UK until the UK’s adequacy regulations implementing the new UK/US data bridge enter into force.
This is expected to happen later this year. Once such regulations are in force, the data bridge will act as a UK adequacy decision and data will be able to flow freely from the UK to US organisations that certify under the UK extension to the framework.
For transfers from the UK to US organisations that are not certified under the UK extension to the framework, a safeguard will still be needed, such as the UK international data transfer agreement (IDTA) or, where EU SCCs are used, the UK international data transfer addendum. In these circumstances, a DTIA should also be carried out. Any data transfer agreements relying on old EU SCCs for transfers from the UK must be updated by 23 March 2024. For further information, see our SCC toolkit.
We have considerable experience in advising our clients on international data transfers and all other aspects of data protection law. We can provide template contracts; help negotiate contracts; and provide end to end management of repapering projects. We also regularly assist with preparing DTIAs for the US and other key jurisdictions.
To assist companies which have numerous data transfer arrangements relying on the old form SCCs, we have developed PennSIFT. PennSIFT is an innovative AI tool that quickly sifts through volumes of contracts to identify those using old form SCCs, generating an easily readable report that will inform compliance strategy and help organisations to prioritise. For further information on PennSIFT click here.
If you would like to discuss PennSIFT or your organisation’s international data transfers generally, please get in touch with your usual Penningtons Manches Cooper contact or Joanne Vengadesan or Anna Frankum.