Earlier this year [July], the EU adopted a decision that will see the free flow of personal data between the EU and the US – a move that will undoubtedly be welcomed by trans-Atlantic businesses. The adequacy decision for the EU-US Data Privacy Framework will allow the free transfer of personal data between EU and US companies participating in the framework on the basis of binding safeguards. 

Under the EU GDPR, the European Commission (EC) has the ability to determine whether jurisdictions outside of the EU offer an adequate level of protection for EU citizens’ personal data. The effect of such an adequacy decision is that personal data can freely flow between the EU and the non-EU jurisdiction without additional safeguards needing to be put in place. Those additional safeguards included, for example, the use of EU approved Standard Contractual Clauses (SCCs) in contracts between the data exporting and importing parties, and the carrying out appropriate data protection impact assessments. In relation to EU-US data flows, this decision is highly valuable, with the White House stating that there are more data flows between the EU and the US than anywhere else in the world. 

This is not the first time the EU and the US have attempted to put a framework in place for the free flow of data. The two previous decisions of the EC, the Safe Harbor, put in place in 2000, and the Privacy Shield put in place in 2016, were declared invalid by the European Court of Justice (ECJ) in 2015 and 2020 respectively, following challenges from privacy activist Max Schrems. These decisions were invalidated in part because of programmes allowing US authorities to access personal data transferred from the EU for national security purposes. This meant US domestic law limited the protection of EU citizens’ personal data in a way that did not provide for an essentially equivalent, and therefore sufficient, level of protection as guaranteed by EU law. 

The EC has stated that “new binding safeguards have been introduced to address the points raised” by the ECJ in 2020, including limiting US authorities’ access to data to the extent that it is “necessary and proportionate to protect national security”. The Data Protection Review Court has also been established, allowing EU citizens an independent redress mechanism which will investigate and resolve complaints relating to access to their data by US authorities. 

Joe Jones, director at the International Association of Privacy Professionals said that there had been “significant reforms” to the US’s surveillance safeguarding, and that the Data Privacy Framework was not just a “reheating” of the two previous attempts. However, he also said “the question is: is it good enough?” Perhaps predictably, Max Schrems is unenthused about the proposed agreement. noyb, the not-for-profit organisation led by Schrems, states that data agreements with the US will not work unless the necessary changes in US surveillance law are made, which is yet to happen. Schrems is quoted as saying that simply calling something ‘new’, ‘robust’ or ‘effective’ will not be enough for the Court of Justice, and noyb have already prepared various challenges to be filed with the ECJ. 

But what does this mean for the UK? The adequacy decision does not apply to UK-US personal data flows. In June 2023, the UK and US announced that a commitment in principle had been reached in relation to a proposed data bridge allowing for the free flow of data between the UK and US organisations that have been certified under the scheme. The data bridge would act as an extension to the EU-US Data Privacy Framework, purportedly providing businesses with an annual saving of £94.2 million. However, if the EU-US Data Privacy Framework is subject to challenge and ultimately declared invalid, this may affect the UK-US data bridge. There are also further concerns that the scope of the data bridge could bring the EU’s UK adequacy decision into question. 

For now, the new adequacy decision will facilitate EU-US data flows. It will be interesting to see how the challenges from privacy campaigners develop and what effect this will have on efforts to facilitate the transfer of data between the UK and US.  

UK businesses trading in the US may wish to consider the following steps in preparing for the introduction of the UK-US data bridge:

Latest News

AI and the Future of Work: A landscape of uncertainty - Pannone Corporate

Following our AI in the Workplace event last month (May), our guest speaker, Dr Richard Whittle, takes a closer look at AI and the future of work, lookin...

Read more...
My Life in Law – Danielle Amor - Pannone Corporate

Nearly a decade on from joining Pannone Corporate, Danielle Amor talks about her career, her passion for seeing clients get the outcome they deserve, her...

Read more...
Pannone crowned Corporate/Commercial Team of the Year at the Manchester Legal Awards - Pannone Corporate

Pannone Corporate has been crowned Corporate/Commercial Team of the Year at the 15th annual Manchester Legal Awards. The firm was recognised at the regi...

Read more...

View all posts