EU Adopts US Adequacy Decision

Print Friendly, PDF & Email

EU Adopts US Adequacy Decision

Key Contact: Declan Goodwin

Author: Adam Munn

On 10th July 2023, the European Commission adopted a new adequacy decision for the EU-US. Data Privacy Framework (“DPF”), which will enable organisations to transfer EU personal data to certain US companies (as detailed below), without any additional restrictions.

The adoption follows years of negotiations between the EU and the US, after the invalidation of the EU.US Privacy Shield by the Court of Justice in the European Union (CJEU) in the Schrems II case. You can read about this case in our article here.

What is an adequacy decision?

An adequacy decision is a formal decision made by the European Commission that recognizes that another country, territory, sector, or international organization provides an equivalent level of protection for personal data as the EU does. This means that personal data can flow freely from the EU to the third country without further obstacles – for example, needing to use the EU’s standard contractual clauses.

What does this mean for organisations?

Prior to the EU adopting its adequacy decision, organisations wishing to transfer EU personal data to the US, were only permitted to do so, provided that they put additional safeguards in place. Most commonly, this involved the data exporter (being the party wishing to transfer the EU personal data) and the data importer (being the US-based organisation) needing to enter into the EU Standard Contractual Clauses (“EU SCCs”). The data exporter was also required to carry out a transfer risk assessment (“TRA”) prior to the transfer of the personal data too. Many organisations have found this to be both a time-consuming and costly task.

Fast forward to the European Commission’s recent decision which concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to organisations participating in the DPF. As a result, provided that the transfer is to a US certified organisation, the data exporter can transfer personal data to the data importer without being subject to any further conditions or authorisations. In other words, without needing to use the EU SCCs and carry out a TRA.  

A key point to note is that the US-based organisations must be certified i.e. participating in the DPF. US companies can certify their participation in the DPF by committing to comply with a detailed set of privacy obligations. The US Department of Commerce (“USDC”) will be responsible for processing applications for certification and monitoring whether organisations are complying with the certification requirements. The USDC is currently in the process of launching a new website with more information on the self-certification process.

Next steps.

The EU Commission will continuously monitor relevant developments in the United States and regularly review the adequacy decision. The first review is due to take place within the next year, whereby the Commission will assess whether all relevant elements of the DPF are functioning effectively in practice.

UK perspective.

The Commission’s decision only covers transfers of personal data made under the EU GDPR. Therefore, it does not affect any transfers of personal data under the UK GDPR and organisations wishing to transfer personal data to US-based organisations will still need to put in place additional safeguards before doing so – most commonly, this includes the data exporter carrying out a TRA and using the UK’s International Data Transfer Agreement.

However, there is some good news. The UK is currently in the midst of finalising the UK US “data bridge” (which is essentially a “UK Extension” to the DPF). Once finalised, organisations based in the UK will be able to make transfers to the US subject to similar restrictions.

For more information on how you can lawfully transfer personal data to the U.S (or any other country), please get in touch with our Commercial and Technology Team.

Recent Posts

IP Owners vs. AI Developers
December 19, 2024
Potential changes to marine tourism tax
What You Need to Know about the Upcoming Tax on Welsh Marine Tourism
December 16, 2024
Image about business tenancies
Examining the Future of Business Tenancies: Law Commission Launches Consultation on the Right to Renew
December 16, 2024
Need some corporate finance advice? Meet Acuity Alliance Partner Adam Street Advisers
December 12, 2024
Business man in a paper boat with arrow waves threatening him
Risk Management and Due Diligence: What You Need to Know When Trading Overseas
December 12, 2024
Assisted dying and probate disputes
Assisted Dying and its Potential Impact on Probate Disputes
December 11, 2024

Archives

Categories

Skip to content