The EU-US Data Privacy Framework – free flowing data finally?

Tuesday 8th August, 2023

It is now far easier to transfer personal data from the EU to the US, which will have a positive impact on businesses.

After a tumultuous time regarding data transfers to the US, the European Commission has adopted an adequacy decision allowing US businesses to self-certify to receive EU personal data.

The EU-US Data Privacy Framework (the “Framework”) adequacy decision came into effect on 10 July 2023 and businesses have been able to rely on the adequacy decision since then.

Businesses can use the Framework as a basis for sending personal data from the EU to US businesses that self-certify under the Framework, without additional requirements such as standard contractual clauses. The adequacy decision means that the European Commission deems the Framework suitable to deliver an adequate level of protection for personal data transferred to self-certified businesses in the US, from the EU.

Who does this apply to?

The Framework only applies to data transfers between the EU and the US. All EU member states must recognise the adequacy decision. It does not apply to data transfers between the UK and the US.

An adequacy decision from the UK for transfers of personal data to the US has not yet materialised, though this is viewed as a priority for the UK, which is likely to be formalised in the coming months. Until such time, the transfer of data from the UK to the US will still be subject to stricter measures.

Why adopt a new framework?

This is not the first time a transfer mechanism between the EU and US has been implemented. The European Commission previously adopted an adequacy decision for EU-US data transfers known as the Privacy Shield self-certification scheme (the “Privacy Shield”).

The adequacy decision for the Privacy Shield was declared invalid on 16 July 2020 following the European Court of Justice’s ruling in Schrems II. One of the main reasons for this was the incredibly broad access rights granted to the US Intelligence Services, including a lack of legal recourse for such access. Because of this, standard contractual clauses and transfer risk assessments had to be relied upon to legitimise transfers to the US but these are burdensome on businesses and they are not a completely “risk free” solution. This meant that achieving a new adequacy decision was always at the forefront for EU and US data privacy professionals and businesses.

However, that is not to say that a similar result will not befall the new Framework and its’ adequacy decision. The decision is yet to be tested by the courts and the Framework and Privacy Shield are similar. Whilst the US has taken steps to improve the protection of EU data when it is transferred to the US, arguably the concerns raised in Schrems II may not have been fully addressed.

In the meantime, pending any challenge that might be made in the courts against the validity of the Framework, the Framework brings some welcome certainty and simplification for businesses transferring EU personal data to the US.

How does it work?

US businesses must self-certify under the Framework. The Framework and the Privacy Shield are similar and therefore those businesses that self-certified under the Privacy Shield should be able to repeat the process for the Framework.

The Framework contains the following seven core principles for the handling of personal data, which US businesses must comply with:

  • Access Principle: the business must grant individuals access rights to their own personal data and must be able to correct, amend or delete the data.
  • Accountability for onward Transfer Principle: the business must accept responsibility for any onward transfers of the personal data.
  • Choice principle: the business must allow individuals to opt out of having their personal data disclosed to third parties or used for a new purpose other than the purpose for which it was originally collected.
  • Data Integrity and Purpose Limitation Principle: the business must only process data relevant to and for the purposes for which it was collected as authorised by the individual.
  • Notice Principle: the business must inform individuals transparently about its participation in the Framework and data processing.
  • Recourse, Enforcement and Liability Principle: the business must ensure there is effective legal protection for its handling of personal data.
  • Security Principle: the business must ensure that the data is held securely.

Future developments

In the UK, the next step will be to achieve a similar adequacy decision for the free flow of personal data between the UK and US, which is expected in the coming months. Until this happens, businesses transferring personal data from the UK to the US must still implement one of the approved transfer mechanisms, usually standard contractual clauses, and continue to carry out transfer risk assessments as required by the Schrems II judgment.

If you have any questions regarding international transfers of personal data, please get in touch with the commercial team at Marriott Harrison.


Articles by Chris Mooney