On 10 July 2023, the European Commission adopted its adequacy decision on the new data privacy framework between the EU and the US. The much anticipated decision confirms that the US now provides an 'adequate level of data protection’ to the EU meaning that it is now easier for EU businesses to transfer personal data to self-certified businesses in the US.
What does this mean for businesses?
This new data bridge, known as the EU-US Data Privacy Framework (DPF), makes compliance easier and facilitates the free flow of data between the EU (and EEA member states, Norway, Iceland, and Liechtenstein) and the US. However, to rely on the DPF, a cross-border transfer must be to a self-certified business (i.e., it is not a blanket adequacy decision that allows transfers to all businesses but only to those who have certified that they will comply with the DPF). In practice, this means that businesses relying on the DPF do not need to put in place appropriate safeguards. The most commonly used appropriate safeguards that legal and tech teams will be familiar with are the Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
The DPF comes against the backdrop of the Schrems II ruling, which invalidated the previous EU-US data privacy framework known as the Privacy Shield. This decision ruled that the Privacy Shield was unlawful to transfer personal data to the US due to the lack of protection given to data subjects (and their personal data) and the unfettered access US intelligence authorities had to this personal data. Further, this ruling imposed strict conditions on the use of the SCCs, which businesses have struggled to comply with in practice as reported in our previous article on Meta Ireland’s record fine.
Can businesses still rely on the SCCs?
The short answer is yes. EU businesses may still choose to rely on the SCCs and may in fact be required to do so if the US business is not self-certified under the DPF. If doing so, they are still required to carry out a Transfer Impact Assessment (TIA) alongside the SCCs.
An update to the UK-US Data Bridge
On 12 October 2023, The Data Protection (Adequacy) (United States of America) Regulations 2023 (UK-US Data Bridge Regulations) came into force, implementing an adequacy decision between the UK and US (UK-US Data Bridge). This UK-US Data Bridge piggy-backs off the DPF and extends it to transfers of personal data from the UK to the US. A full comment on the impact of the UK-US Data Bridge will be set out in a further article.
The DPF makes it easier for businesses who transfer personal data from the EU to the US as there will be no need to implement appropriate safeguards to transfer data. To rely on the DPF, businesses will need to check the Data Privacy Framework List to ensure the receiving US business is on that list. If a US business is not self-certified under the DPF, businesses transferring personal data to the US will still need to implement appropriate safeguards such as the SCCs or the BCRs. Whilst this adequacy decision is good news for both EU and US businesses, it opens the door for Schrems III. Max Schrems has already indicated that the DPF is largely a copy of the previously invalidated frameworks (i.e., the Privacy Shield and Safe Harbour) and that it does not go far enough to address invasive US surveillance laws. Max Schrems expects “this to be back at the Court of Justice [of the European Union] by the beginning of next year” and EU, UK and US businesses will be watching this closely.