There's now a new route to transfer personal data to the US under EU GDPR – for the time being at least. On 10 July 2023 the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). Max Schrems has already said that it will be challenged in the Court of Justice of the EU (CJEU) and so this is unlikely to mark the end to the uncertainty that has hung over international data transfers since Schrems II. This briefing looks at the implications of the adequacy decision.
1. What does the adequacy decision mean?
This decision means that the European Commission has concluded that the DPF offers protection for personal data transferred under it to the US that is essentially equivalent to the protection guaranteed by EU GDPR. However, only transfers to US organisations that have self-certified their participation in the DPF will be covered by the adequacy decision. For more detail on what the DPF comprises, including redress mechanisms for data subjects, please see our earlier briefing here.
In practical terms, it means that data exporters subject to EU GDPR transferring data to certified US organisations do not have to rely on an alternative transfer mechanism, such as standard contractual clauses, nor to undertake a "transfer impact assessment" to complete that transfer compliantly.
The US commitments underlying the DPF also make it easier for organisations that continue to use alternative transfer mechanisms for US transfers, including those that are ineligible to participate in the DPF, to demonstrate "essential equivalence" when completing transfer impact assessments.
The tech giants will welcome the arrival of the adequacy decision. In May 2023 Ireland's Data Protection Commission ordered the suspension of Meta's transfers of Facebook users' personal data to the US (and imposed a €1.2bn fine). Anticipating the arrival of this adequacy decision, Meta applied for, and was granted, a stay on the suspension - see our briefing here. Data protection authorities across the EU will no longer be able to suspend transfers of personal data to the US that benefit from the adequacy decision for lack of adequate safeguards.
Which US organisations are eligible to self-certify to the DPF?
US companies will be able to join the DPF by committing to adhere to a detailed set of privacy obligations which apply immediately on self-certification.
Certification will follow along similar lines to the DPF's predecessor, the Privacy Shield. Only organisations subject to the enforcement powers of the US Federal Trade Commission or Department of Transportation (controllers or processors) will be eligible – depositary institutions (such as banks), insurers and telcos are amongst those organisations which will not be able to rely on the DPF.
2. When is it effective?
It is available now and can be used as soon as the importing US organisation has certified to the DPF. The US Department of Commerce, which is responsible for administering the DPF, has said that it will launch a new website for the DPF within the next few days.
3. Will it last?
Max Schrems
No surprises: Max Shrems has made it clear that he will challenge the decision in the CJEU once exporters start to rely on it. His position is that the DPF is not sufficiently different from its predecessors struck down by the CJEU - the Privacy Shield and Safe Harbor - and does not adequately address the issues set out in Schrems II judgment, in particular US surveillance powers over non-US nationals under section 702 of the US Foreign Intelligence Surveillance Act.
4. What does it mean for the UK?
Data exports from the UK under the UK GDPR cannot rely on this adequacy decision, but the UK is eager to build on it for the purposes of making its own adequacy regulation in respect of the US.
On 8 June 2023, President Biden and Prime Minister Sunak announced that the US and UK had reached a "commitment in principle" to establish a UK/US "data bridge". This would be an extension to the DPF. To finalise this, the US needs to designate the UK as a qualifying state under Executive Order 14086 and the UK Government needs to complete its assessment of adequacy including consultation with the Information Commissioner.
Originally published by 12 July, 2023
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.