European Commission Adopts Adequacy Decision for EU-US Data Transfers

On 10 July 2023, the European Commission (“EC”) adopted its adequacy decision for the EU-US Data Privacy Framework (the “Framework”). As a result, personal data can be transferred freely from the EU to organisations in the US who participate in the Framework.

International Data Transfers

The GDPR (General Data Protection Regulation) prohibits personal data transfers to countries outside of the EU unless certain conditions are met. In principle, transfers may take place in any of the following circumstances:

• To a country with an EC adequacy decision (GDPR Article 45)

• With appropriate safeguards in place, such as Standard Contractual Clauses (SCCs) with supplementary measures (for UK companies, the International Data Transfer Agreement can be adopted) or Binding Corporate Rules, if data subjects have enforceable rights and effective legal remedies (GDPR Articles 46 and 47)
• Where a derogation for a specific situation applies, for example the data subject has given their explicit consent (GDPR Article 49).

In July 2020, the European Court of Justice ruled the EU-US Privacy Shield was not a valid mechanism to transfer personal data from the EU to US (Schrems II) as it did not provide adequate safeguards for the data. Since then, businesses have needed to implement alternative safeguards to transfer data to the US.

What is the Data Privacy Framework?

The Framework addresses the issues arising from the Schrems II decision. It outlines commitments to privacy obligations US businesses must agree to when receiving EU individuals’ personal data. US businesses signed up to the Framework do not need to put in place additional transfer safeguards.

The Framework addresses the key concerns from Schrems II, to ensure data can only be accessed by US intelligence agencies to the extent that it is necessary and proportionate for them to do so. It also establishes an independent and impartial redress mechanism to handle and resolve complaints from European data subjects concerning their data being collected for national security purposes.

What does the Data Privacy Framework mean for the UK?

The Framework applies to data transfers from the EU, meaning the UK does not benefit from it. However, the UK and US committed, in June 2023, to establish the UK extension to the Framework, that will create a ‘data bridge’ between the two countries. This is a commitment in principle, so businesses should monitor progress towards a formal agreement.

If you have any questions on transferring personal data internationally, please contact our Data Privacy team.