EU-US Data Privacy Framework – what you need to know now the draft adequacy decision has been published

On 13 December 2022 the European Commission issued a draft data adequacy decision for the EU-US Data Privacy Framework (DPF), ruling that the US ensures an adequate level of protection for personal data transferred from the EU to US companies.

The DPF addresses the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020 whereby the Privacy Shield (a legal framework that enabled transatlantic exchanges of personal data for commercial purposes) was declared invalid.

These concerns centred around access to European personal data by US intelligence agencies and the lack of independent redress for EU citizens.

The possible adoption of the adequacy decision will be very good news for all those companies operating in the transatlantic trade. Ever since the Schrems II ruling in July 2020, the European Commission and the US administration have been trying to create a new legal framework that facilitates the transfers of personal data across the pond.

Once and if the adequacy decision is adopted, European entities will be able to transfer personal data to participating companies in the US, without having to put in place additional data protection safeguards such as standard contractual clauses or binding corporate rules. In other words, personal data will be able to flow freely and safely from the EU to the US, without being subject to any further conditions or authorisations.

How does the EU-US Data Privacy Framework differ from the Privacy Shield?

The EU decision follows the Executive Order (EO) that was signed by US President Biden in October 2022.

The DPF and the EO address the primary concerns that were raised in Schrems II and provide for:

• binding safeguards that limit access to data by US intelligence to what is necessary and proportionate to protect national security; and
• the establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints of EU citizens regarding access to their data by US national securities authorities.

Participation in the DPF by US companies will require compliance with a detailed set of privacy principles and successful completion of a certification process with the US Department of Commerce. The data privacy principles have similarities with the GDPR including purpose limitation, data accuracy, minimisation and security, transparency, accountability and specific rules in relation to the processing of special categories of personal data.

If adopted, EU counterparties will no longer be required to complete transfer impact assessments in respect of transfers of personal data from the EU to US participating companies which will undoubtedly be a welcome change for exporting companies.

Do you need an adequacy decision to transfer data from the EU to the US?

It is important to remember that an adequacy decision is not the only tool for international transfers. Companies can put in place standard contractual clauses or binding corporate rules as an alternative and in the interim. The advantages and disadvantages of each approach will need to be considered by companies.

The good news is that all the safeguards that have been put in place by the US Government in the area of national security will be available to all transfers to companies in the US under the GDPR, regardless of the mechanism chosen.

There are no immediate steps to be taken by companies as a result of this change given that the adequacy decision is still in draft.

Does the UK have an adequacy decision?

While the draft adequacy decision is for EU-US data transfers, the UK will likely be keeping a very keen eye on developments.

The coming weeks and months will reveal what the UK approach to granting US adequacy will be. Since July 2020, the UK and US have been in technical discussions on a new UK adequacy arrangement.

The UK’s Secretary of State for Digital, Culture, Media and Sports has highlighted in October 2022 the excellent progress made by both countries towards a UK adequacy assessment and the EO.

The UK intends to work expediently to review the enhanced safeguards and redress mechanism. This includes concluding discussions on remaining areas of the assessment, formally consulting the Information Commissioner, and making preparations for the laying of adequacy regulations in Parliament in early 2023 alongside the issuing of guidance for organisations and individuals.

We will provide further updates as developments emerge.