This blog takes a quick look at the adequacy decision for the EU-US Data Privacy Framework (“DPF”) adopted by the European Commission on 10 July 2023.
We intend to publish more material about this important development in the coming weeks – including on the implications and way ahead for the UK. We will post new articles on the Privacy & Security insights page on the Kemp IT Law website.
1. What has changed?
The key change is that the European Commission has adopted its adequacy decision for EU US personal data transfers made under the DPF.
This means the Commission has decided that personal data transferred to the US in this way will receive a sufficient level of protection once it gets there. As the adequacy decision puts it:
“… the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the Union to certified organisations in the United States.” (Recital 8, emphasis added)
“Certified” is important: for a transfer of personal data to benefit from the adequacy decision the US organisation must have certified its participation in the DPF. Organisations looking to rely on the DPF to make transfers will want to check the US Department of Commerce’s soon-to-be-launched DPF program website for their counterparty’s certification status and may wish to seek contractual commitments about maintaining certification in future.
2. Why is it significant?
The Commission’s decision marks an important and (for businesses that want to transfer personal data between the EU and US) helpful development in the ‘international transfers’ saga – an area which has dominated European and UK data protection since the CJEU’s Schrems II judgment in 2020.
The main practical point is that where personal data is transferred under the DPF, EU GDPR will no longer require counterparties to have SCCs (or another appropriate safeguard) in place or to have conducted transfer impact assessments (“TIAs”).
This will materially reduce the administrative burden that comes with making EU/US personal data transfers: companies have generally found SCCs to be complex and unwieldy and the post-Schrems II TIA process inherently legally uncertain.
3. When do the changes take effect?
The adequacy decision came into effect when the Commission adopted it – 10 July 2023. This means it is available for use now, subject to the US organisation’s DPF certification.
It is widely expected that legal challenges will be brought against the DPF on the basis that it does not fully address and remediate the issues raised in the Schrems II judgment. So it remains to be seen how long this new lower friction framework will last.
4. What about the UK?
The Commission’s adequacy decision only covers transfers of personal data made under the EU GDPR. It does not affect those made under the UK GDPR (the UK’s post-Brexit flavour of GDPR).
For the UK, the next step will be the finalisation of the UK US “data bridge”, the “UK Extension” to the DPF. In this regard, look out for the US Attorney General’s designation of the UK as a “qualifying state” under Executive Order 14086.