EU-US Data Privacy Framework: Simplifying trans-Atlantic data flows?
Wednesday 19th July 2023
Last week, the European Commission announced its adequacy decision for the EU-US Data Privacy Framework. The decision confirms that the EU is satisfied that the United States maintains an adequate level of protection for personal data transferred from the EU to US companies who are participating in the EU-US Data Privacy Framework.
What is the impact of the decision?
The result of the decision will enable organisations within the European Economic Area to freely transfer personal data to the participating companies in the US without the need to meet any additional criteria or put additional safeguards in place; in the same way that data can be shared between countries within the European Economic Area. This means that transfer mechanisms such as the Standard Contractual Clauses will no longer be needed for many EU-US transfers. Further benefits of the Framework include granting data subjects an appropriate right of access and various remedies if their data is incorrectly handled including independent dispute resolution mechanisms and an arbitration panel.
When does it come into force?
The decision came in to force on 10 July and will be reviewed within one year to assess the functioning of the Framework. Depending on the conclusion of the review, the frequency of the future reviews will be decided, which will be at least every four years. It is important to note that the decision may be adapted or withdrawn at any time if there are any developments which affect the level of protection given to privacy rights in the United States; given that an adequacy decision confirms an equivalent standard of protection in the relevant jurisdiction.
Is it applicable in the UK?
Whilst this is a significant decision for the European Commission, is not currently effective in the UK. It will only apply to those with processing activities in the EU. However, in June 2023, the UK and US government announced that the UK and the United States had reached a commitment to form a Data Privacy Framework, which will enable approved US companies to join the Framework and importantly receive personal data from the UK. Although the agreement is yet to be finalised and discussions are still ongoing, a data bridge would increase opportunities for UK businesses to send personal data to the US without having to incorporate burdensome and timely clauses into contracts. We are expecting this to be implemented promptly.