12 July 2023
The European Commission has adopted an adequacy decision for data transfers to businesses self-certified under the EU-US Data Privacy Framework, with wider impact for transfers under SCCs and BCRs. But what does this mean for the UK?
Since the ECJ Schrems II judgment, there has been no adequacy decision in favour of the USA. This has meant that an additional transfer mechanism (like Standard Contractual Clauses) was needed to enable the transfer of personal data from the EEA and the UK to the USA. As a result of the Schrems II judgment, data exporters have also been required to carry out transfer impact assessments (TIAs) and implement supplementary measures to protect personal data where needed – a laborious and uncertain process.
On 11 July 2023, the EC's new adequacy decision for the EU-US Data Privacy Framework (DPF) came into force. The DPF aims to address the two main issues the ECJ found with the level of protection given to EU personal data transferred to the USA – the access to EU data granted to the US intelligence authorities, and the question of redress for EU citizens in the event of unlawful processing of their personal data.
The DPF provides new assurances that:
The adequacy decision is subject to regular reviews by the Commission to verify it is being fully implemented and functioning effectively. The DPF will be administered and monitored by the US Department of Commerce (DOC) and enforced by the US Federal Trade Commission. The EDPB has said it will develop an information note on the implications of the DPF in the next few weeks.
Guidance has been published by the DOC's International Trade Administration on how to transition from the Privacy Shield to the DPF. US based organisations that self-certified under the Privacy Shield must comply with the DPF principles, including by updating their privacy policies by 10 October 2023. The DPF does not change their re-certification dates and if they do not wish to participate in the DPF, they need to complete the withdrawal process. The Swiss-US DPF will also enter into effect on 17 July 2023, and the DPF website through which self-certification can be made (www.dataprivacyframework.gov) will be launched on the same date.
As a result of the adequacy decision, any US business which self-certifies under the DPF (the principles of which are very similar to those under the Privacy Shield), will be able to import EU (and most likely shortly EEA) personal data without the need for additional transfer mechanisms.
The adequacy decision is also good news for those EU organisations using other transfer mechanisms like Standard Contractual Clauses or Binding Corporate Rules to transfer personal data to the USA. In its FAQs accompanying the adequacy decision, the Commission notes that all safeguards that have been put in place by the US government in the area of national security (including the redress mechanism), apply to all GDPR data transfers to companies in the US, regardless of the transfer mechanism used. The safeguards "therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules". This suggests an end to the requirement for supplementary measures as, while a TIA may still be necessary, the adequacy decision effectively ensures that the TIA will conclude no supplementary measures are required.
Having said that, some organisations may consider it prudent both to continue to use SCCs rather than defaulting to the DPF, and even, potentially, to continue using or implementing supplementary measures to provide a higher level of certainty. NOYB (the organisation set up by Max Schrems) has already confirmed it will challenge the adequacy decision so 'Schrems III' looks highly likely. Whether or not it results in the DPF eventually being struck down, is likely to depend on the effectiveness of scheme. In particular, the role of the DPRC, and transparency around levels of access to EU data will be under scrutiny. There are already concerns that the DPRC will have limited impact and that its decisions will be insufficiently transparent to provide meaningful redress. Any legal challenge is, however, some way down the road and for now at least, the adequacy decision is effective.
While the UK was impacted by the Schrems II decision, it obviously does not benefit from the new EC adequacy decision. On the same day President Biden's Executive Order (EO) underpinning the DPF was published, the UK government published a US-UK Joint Statement on a New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy. The Statement announced "significant progress on UK-US data adequacy discussions" which had been a priority for the successive governments since Brexit took effect. The commitment to a UK-US data bridge was reiterated in June 2023.
On 11 July 2023, the US International Trade Administration confirmed that from 17 July 2023, US organisations may self-certify compliance pursuant to the UK Extension to the EU-US DPF. They may not, however, begin relying on it to receive personal data from the UK and Gibraltar, before the UK's anticipated adequacy regulations implementing the Data Bridge enter into force. Organisations participating in the UK Extension must also participate in the EU-US DPF. The UK may take some comfort that it will not be subject to any 'Schrems III' decision, although that does not preclude a separate legal challenge in the UK.
All in all, the DPF and the EU adequacy decision will facilitate frictionless data flows for EU businesses looking to export personal data to the USA, and for US importers. Switzerland, the UK and EEA country organisations are also likely to benefit shortly. Read more about the DPF and how to sign up and comply here.
by Debbie Heywood and Mary Rendle