EU Adopts US Adequacy Decision
Key Contact: Declan Goodwin
On 10th July 2023, the European Commission adopted a new adequacy decision for the EU-US. Data Privacy Framework (“DPF”), which will enable organisations to transfer EU personal data to certain US companies (as detailed below), without any additional restrictions.
The adoption follows years of negotiations between the EU and the US, after the invalidation of the EU.US Privacy Shield by the Court of Justice in the European Union (CJEU) in the Schrems II case. You can read about this case in our article here.
What is an adequacy decision?
An adequacy decision is a formal decision made by the European Commission that recognizes that another country, territory, sector, or international organization provides an equivalent level of protection for personal data as the EU does. This means that personal data can flow freely from the EU to the third country without further obstacles – for example, needing to use the EU’s standard contractual clauses.
What does this mean for organisations?
Prior to the EU adopting its adequacy decision, organisations wishing to transfer EU personal data to the US, were only permitted to do so, provided that they put additional safeguards in place. Most commonly, this involved the data exporter (being the party wishing to transfer the EU personal data) and the data importer (being the US-based organisation) needing to enter into the EU Standard Contractual Clauses (“EU SCCs”). The data exporter was also required to carry out a transfer risk assessment (“TRA”) prior to the transfer of the personal data too. Many organisations have found this to be both a time-consuming and costly task.
Fast forward to the European Commission’s recent decision which concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to organisations participating in the DPF. As a result, provided that the transfer is to a US certified organisation, the data exporter can transfer personal data to the data importer without being subject to any further conditions or authorisations. In other words, without needing to use the EU SCCs and carry out a TRA.
A key point to note is that the US-based organisations must be certified i.e. participating in the DPF. US companies can certify their participation in the DPF by committing to comply with a detailed set of privacy obligations. The US Department of Commerce (“USDC”) will be responsible for processing applications for certification and monitoring whether organisations are complying with the certification requirements. The USDC is currently in the process of launching a new website with more information on the self-certification process.
Next steps.
The EU Commission will continuously monitor relevant developments in the United States and regularly review the adequacy decision. The first review is due to take place within the next year, whereby the Commission will assess whether all relevant elements of the DPF are functioning effectively in practice.
UK perspective.
The Commission’s decision only covers transfers of personal data made under the EU GDPR. Therefore, it does not affect any transfers of personal data under the UK GDPR and organisations wishing to transfer personal data to US-based organisations will still need to put in place additional safeguards before doing so – most commonly, this includes the data exporter carrying out a TRA and using the UK’s International Data Transfer Agreement.
However, there is some good news. The UK is currently in the midst of finalising the UK US “data bridge” (which is essentially a “UK Extension” to the DPF). Once finalised, organisations based in the UK will be able to make transfers to the US subject to similar restrictions.
For more information on how you can lawfully transfer personal data to the U.S (or any other country), please get in touch with our Commercial and Technology Team.