Earlier this year [July], the EU adopted a decision that will see the free flow of personal data between the EU and the US – a move that will undoubtedly be welcomed by trans-Atlantic businesses. The adequacy decision for the EU-US Data Privacy Framework will allow the free transfer of personal data between EU and US companies participating in the framework on the basis of binding safeguards.
Under the EU GDPR, the European Commission (EC) has the ability to determine whether jurisdictions outside of the EU offer an adequate level of protection for EU citizens’ personal data. The effect of such an adequacy decision is that personal data can freely flow between the EU and the non-EU jurisdiction without additional safeguards needing to be put in place. Those additional safeguards included, for example, the use of EU approved Standard Contractual Clauses (SCCs) in contracts between the data exporting and importing parties, and the carrying out appropriate data protection impact assessments. In relation to EU-US data flows, this decision is highly valuable, with the White House stating that there are more data flows between the EU and the US than anywhere else in the world.
This is not the first time the EU and the US have attempted to put a framework in place for the free flow of data. The two previous decisions of the EC, the Safe Harbor, put in place in 2000, and the Privacy Shield put in place in 2016, were declared invalid by the European Court of Justice (ECJ) in 2015 and 2020 respectively, following challenges from privacy activist Max Schrems. These decisions were invalidated in part because of programmes allowing US authorities to access personal data transferred from the EU for national security purposes. This meant US domestic law limited the protection of EU citizens’ personal data in a way that did not provide for an essentially equivalent, and therefore sufficient, level of protection as guaranteed by EU law.
The EC has stated that “new binding safeguards have been introduced to address the points raised” by the ECJ in 2020, including limiting US authorities’ access to data to the extent that it is “necessary and proportionate to protect national security”. The Data Protection Review Court has also been established, allowing EU citizens an independent redress mechanism which will investigate and resolve complaints relating to access to their data by US authorities.
Joe Jones, director at the International Association of Privacy Professionals said that there had been “significant reforms” to the US’s surveillance safeguarding, and that the Data Privacy Framework was not just a “reheating” of the two previous attempts. However, he also said “the question is: is it good enough?” Perhaps predictably, Max Schrems is unenthused about the proposed agreement. noyb, the not-for-profit organisation led by Schrems, states that data agreements with the US will not work unless the necessary changes in US surveillance law are made, which is yet to happen. Schrems is quoted as saying that simply calling something ‘new’, ‘robust’ or ‘effective’ will not be enough for the Court of Justice, and noyb have already prepared various challenges to be filed with the ECJ.
But what does this mean for the UK? The adequacy decision does not apply to UK-US personal data flows. In June 2023, the UK and US announced that a commitment in principle had been reached in relation to a proposed data bridge allowing for the free flow of data between the UK and US organisations that have been certified under the scheme. The data bridge would act as an extension to the EU-US Data Privacy Framework, purportedly providing businesses with an annual saving of £94.2 million. However, if the EU-US Data Privacy Framework is subject to challenge and ultimately declared invalid, this may affect the UK-US data bridge. There are also further concerns that the scope of the data bridge could bring the EU’s UK adequacy decision into question.
For now, the new adequacy decision will facilitate EU-US data flows. It will be interesting to see how the challenges from privacy campaigners develop and what effect this will have on efforts to facilitate the transfer of data between the UK and US.
UK businesses trading in the US may wish to consider the following steps in preparing for the introduction of the UK-US data bridge:
- Until the data bridge enters into force, businesses should ensure they continue to implement and use the correct safeguards, for example, by using the form of agreements approved by the UK ICO, namely the International Data Transfer Agreement (IDTA) or International Data Transfer Addendum (UK Addendum). Both of these agreements incorporate approved SCCs.
- Businesses should update and review data sharing agreements in place with US companies, pending the entry into force of the data bridge.
- It is worth businesses being aware that according to the US Department of Commerce, US companies that are certified under the Privacy Shield should be able to easily self-certify under the new Framework. Businesses can check the Shield participants here: https://www.dataprivacyframework.gov/s/participant-search. Given that both the new agreements seem to be based on the previous Privacy Shield, it’s a good indication whether businesses will be able to easily enter into a data transfer when the data bridge enters into force.
- If businesses have been cautious about trading in the US due to the restrictions on data sharing, it may be worth re-evaluating this point. When the data bridge enters into force, the process to comply with it should be much simpler. European data exporters should find the compliance process less complicated for data transfers to the US, as the burden of documentation and compliance will mostly be shifted to the participating US data importers by virtue of the requirement to self-certify under the EU-US Data Privacy Framework.