What’s the change in position in relation to EU–US international data transfers?
On 11 July 2023, following years of intense negotiations, the European Commission (EC) adopted an adequacy decision (the EU DPF Adequacy Decision) for data transfers to businesses that were self-certified under the EU–US Data Privacy Framework (DPF). The UK has not yet followed suit, so the UK rules on international data transfers remain unchanged as at the date of this article.
Since the Schrems II judgment by the Court of Justice of the European Union (CJEU) in July 2020, there has been no adequacy decision in favour of the USA for compliant EU or UK personal data transfers. This has meant that an additional transfer mechanism (like use of the UK and EU’s standard contractual clauses) was needed to enable compliant transfer of personal data from the European Economic Area (EEA) and the UK to the USA.
Data exporters have also been required to carry out a further assessment of whether the transfer creates additional risk to an individual. This assessment is known as a transfer risk assessment (TRA) in the UK, or a transfer impact assessment (TIA) in the EU.
The DPF is intended to address the main issues that the Schrems II case found with the level of protection given to personal data transferred to the USA:
Access to personal data that may be shared with US intelligence organisations. Under the DPF, this access should now be limited to necessary and proportionate sharing to protect national security.
Appropriate redress for EU and UK individuals in the event of unlawful processing of their personal data. Under the DPF, individuals should have access to a new independent Data Protection Review Court (DPRC), which can ensure that remedies are ordered if any data processing is carried out in violation of the safeguards set out in the DPF.
The DPF will be subject to periodic reviews by:
The EC, to ensure that it is operating as it should and is fully implemented.
The US Department of Commerce (US DOC), who will administer and monitor the DPF. It will be enforced by the US Federal Trade Commission.
What do we need to do to ensure compliant transfer from the EU to the USA under the DPF?
Further guidance is expected from the European Data Protection Board (EDPB) in due course. In the meantime, the US DOC International Trade Administration has published its own guidance to US organisations on how to transition from the previous EU–US Privacy Shield to the DPF. In short, US-based organisations that had previously self-certified under the now defunct Privacy Shield are expected to comply with the DPF principles, including by updating their privacy policies by 10 October 2023. If they do so, the DPF does not change their re-certification dates. This means that organisations that were self-certified under the previous Privacy Shield framework will have a simplified procedure for self-certification under the DPF.
If a US organisation no longer wants to be certified under the DPF, it will need to complete the withdrawal process.
The DPF website that enables organisations to self-certify under the DPF (the principles of which are very similar to those under the previous Privacy Shield) has now gone live at www.dataprivacyframework.gov, so US organisations that wish to self-certify and enable compliant transfers should register there.
As a result of the EU DPF Adequacy Decision, any US business that self-certifies under the DPF will be able to import EU (and hopefully soon all EEA – see below) personal data without the need for additional international data transfer mechanisms.
Will we still have to carry out EU TIAs?
In the EC’s Q&A on the EU–US Data Privacy Framework, it states that all national security safeguards that have been put in place by the US government (including the redress mechanism) apply to all EU GDPR data transfers to companies in the USA, regardless of the transfer mechanism used. Those safeguards "therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules".
This seems to suggest an end to the requirement for supplementary measures. A TIA may still be necessary, but it is hoped that the EU DPF Adequacy Decision will ensure that the TIA will conclude that no further supplementary measures are required. Hopefully, further guidance from the EDPB will provide more clarity.
Will organisations that transfer personal data from the EU to the USA still put standard contractual clauses in place?
It is possible that some organisations may still consider using standard contractual clauses (SCCs) rather than defaulting to the DPF. They may even implement further supplementary measures to provide a higher level of certainty.
NOYB, the organisation set up by Max Schrems that led to the original Schrems II judgement, has already stated that it will challenge the EU DPF Adequacy Decision. This means that a Schrems III-type case may go forward, putting the role of the DPRC and transparency around levels of access to EU data under scrutiny. For example, will there be sufficient transparency to provide meaningful redress? The case may not be as successful if the DPF scheme is as successful as hoped.
For now, of course, the EU DPF Adequacy Decision has been granted, is in effect and allows compliant transfer to those US companies that sign up to the DPF for EU–US data transfers. During a press conference on 10 July 2023, EU Justice Commissioner Didier Reynders explained, “with the adoption of the adequacy decision, personal data can now flow freely and safely from the EEA to the USA without any further conditions or authorisations.” When asked about the possibility of further challenge against the EU DPF Adequacy Decision, Reynders stated, “[the Commission] is very confident to try to not only implement such an agreement, but also to defend [it] in all procedures that [it will] have to face.”
Are any other countries (including the UK) following suit with a new adequacy decision?
We have been delaying publication of this blog in the hopes of news from the UK of its own adequacy decision, but there is no news just yet (see more below on this).
The Swiss–US DPF, however, also entered into effect on 17 July 2023.
UK law was affected by the Schrems II decision, but post-Brexit, the UK doesn’t benefit from the new EU DPF Adequacy Decision. Organisations will be able to sign up to the UK extension of the EU–US DPF, but this currently doesn’t create a valid transfer from the perspective of UK law (see below).
On 7 October 2022, the same day that US President Joe Biden's Executive Order (EO) underpinning the new DPF was published, the UK government published its UK–US Joint Statement on a New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy. The statement announced "significant progress on UK–US data adequacy discussions", which had been a priority for successive governments since Brexit took effect. That commitment to a UK–US adequacy decision was reiterated in June 2023.
On 11 July 2023, the US International Trade Administration stated that from 17 July 2023, US organisations:
May self-certify compliance pursuant to the UK Extension to the EU–US DPF, but may not begin relying on the DPF to import personal data from the UK and Gibraltar before the UK makes its own UK–US adequacy decision.
Participating in the UK Extension must also participate in the EU–US DPF.
The UK may take some comfort that it will not be subject to any CJEU decision that may occur if there is a Schrems III-type case. However, there may be a separate legal challenge in the UK, so a watching brief will be needed.