Third time’s the charm for EU-US data transfers, as Commission adopts new adequacy decision

It looks like Christmas has come early this year with a long-anticipated adequacy decision on the EU-US Data Privacy Framework (the Framework) by the European Commission.

This decision came into effect on Monday 10th July 2023 following a long period of negotiations between the EU and US and replaces the former EU-US Privacy Shield arrangement.

This is a landmark decision which recognises that the US has an adequate level of protecting personal data (comparable to the standard of data protection adopted in the EU) for any transfers of personal data from the EU under the Framework. It allows organisations in the EU to transfer personal data to US organisations that certify that they comply with the Framework, without having to commit to any additional transfer mechanisms, such as the Standard Contractual Clauses (SCCs).

The road so far

Businesses across the EU will breathe a sigh of relief upon hearing this news. The story of international transfers to the US has seen “Harbours”, “Umbrellas”, “Shields”, as well as the infamous Schrems II ruling in July 2020, whereby the Court of Justice of the European Union (CJEU) held that the then-current EU-US Privacy Shield was no longer a valid mechanism for transfers of personal data from the EU to the US on the basis that the US laws did not provide adequate protection of personal data, and also introduced new requirements regarding steps that had to be taken for businesses to be able to rely on the SCCs for international transfers of personal data.

As the Schrems II ruling required additional onerous measures to be in place for any international transfers, it was considered as hugely impractical by the majority of businesses. Data transfers to the US are very common (and, in fact, almost impossible to avoid for many reasons, including the fact that the US is home to some of the largest cloud service providers and software service providers) and therefore any limitations to such transfers can make it very difficult for organisations to trade globally.

How is the new Framework different?

The Framework allows US companies that self-certify their compliance with the Framework to receive personal data from the EU without the need for any additional safeguarding mechanisms. The question on everyone’s lips, though, is how it is different from the “Shields” and “Harbours” that were so heavily criticised by the CJEU? The Framework aims to address the previous concerns as raised by the CJEU, with the main concern being the access to data by the US public authorities and intelligence services. The Framework states that such access will be limited to only what is necessary and proportionate and that EU citizens will have access to improved redress mechanisms (such as the newly-introduced Data Protection Review Court) to pursue in the event that their personal data is mishandled.

The Commission also promises that the EU-US Data Privacy Framework will be subject to regular reviews, with a focus on the effectiveness of the redress mechanisms and co-operation between the EU and US authorities.

So what does this all mean for the UK?

Although this decision currently only applies to transfers from the EU, it is highly likely that the UK Government will follow this decision and adopt a similar adequacy decision for transfers of personal data from the UK to the US. The UK government has previously announced an agreement in principle with the US to sign an extension to the Framework (once the Framework was agreed) and we expect this to follow swiftly.

What should businesses be doing now?

The implications of this adequacy decision are significant, to say the least. Many organisations, particularly large tech platforms, rely heavily on US infrastructure to provide services such as cloud hosting, software service and social media and marketing, and therefore global data flows are crucial to their business models. We expect to see many organisations immediately signing up to the Framework, meaning that they can freely receive data from EU businesses (and, in due course, hopefully UK businesses too) without the onerous obligations that come with the SCCs. Additionally, the Commission has stated that those companies that are self-certified under the Privacy Shield Framework will have access to a simplified procedure to self-certify under the new Framework.

Whilst this is no doubt incredibly welcome news, those sighs of relief will likely be tentative. We are yet to see whether there will be any challenges to this new adequacy decision (and whether it withstands the test of Max Schrems). Many EU organisations may still be keen to retain SCCs in their contracts with US recipients of personal data, as a “back up” in case the Framework goes the same way as Safe Harbour and Privacy Shield before it. However, whether vendors will accept this is another question, and there is no doubt that for the time being, the Framework does negate the need to have SCCs in place.

Nonetheless, this does not mean that the businesses can be complacent and simply rely on the Framework without investigating the US recipient’s compliance. Both the CJEU and the ICO have previously indicated that there is no “magical solution” (be it the Privacy Shield, the SCCs or potentially the new Data Privacy Framework) when it comes to the international transfers of personal data and organisations are advised to:

• identify all data flows and have a clear map of any international data transfers;
• carry out thorough due diligence on any third country recipients of personal data, including ensuring that any US recipients subject to the Framework do, in fact, comply with its principles;
• nominate a team (or individuals) responsible for overseeing data protection within the organisation and assessing any related risks;
• comply with all other relevant requirements relating to international transfer, such as having appropriate transfer risk assessments in place for third country transfers subject to the SCCs; and
• keep an eye on further developments – international transfers remains a complex area to navigate and we will undoubtedly see more activity in this area in the coming months.

Authors: Emma Erskine-Fox and Liza Vernygorova

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2023. Specific advice should be sought for specific cases. For more information see our terms & conditions.