The American dream has come true for EU businesses that export personal data to the US

The European Commission (EC) has taken a decision that will have positive and significant effects for businesses that transfer personal data from the EU to the US. The decision also has welcome implications for transferring data from the UK to that territory.

On 10 July 2023, the EC adopted an adequacy decision for transfers of personal data from the EU to the US under the EU/US Data Privacy Framework (the DPF).

The DPF provides a new basis for the flow of personal data from the EU to the US, at least for exports of such data to recipients in the US that self-certify under the new framework.

This decision is significant for international commerce between the EU and the US, due to the volume of personal data that is transferred between the two territories.

 Key Takeaways

• The GDPR includes a restriction on the transfer of personal data from the EU to “non-adequate” destination territories. However, the GDPR also permits the EC to decide that third countries provide an “adequate” level of protection for personal data imported into those territories.
• Where a third country is “adequate”, the exporting organisation does not need to apply additional safeguards to the transferred data to render the transfer lawful under GDPR.
• Prior to July 2020, it was possible for organisations to transfer personal data from the EU to the US in a lawful manner under the GDPR by using the EU/US Privacy Shield scheme. However, the European Court of Justice (CJEU) invalidated this scheme in its seismic “Schrems II” decision of July 2020, citing particular concerns around the access to transferred data by US governmental agencies.
• Since Schrems II, businesses transferring personal data from the EU/UK to the US have had to apply safeguards to those transfers (such as Standard Contractual Clauses/SCCs) and prepare transfer risk assessments (TIAs). This has given many businesses an administrative and legal headache.
• Since Schrems II, the US has made important changes to the way its agencies access and collect personal data for intelligence purposes. The EC has therefore decided that the DPF is adequate for the purposes of legitimising transfers of data between the EU and US.
• To join the DPF, a US organisation must do the following:
  • Develop an appropriate privacy policy.
  • Identify an independent recourse mechanism.
  • Self-certify with the US Department of Commerce via its website.

Our View

• This news will be welcomed by businesses that transfer personal data from locations in the EU to the US. Parties to such transfers will not need to prepare additional safeguards or TIAs regarding transfers covered by the DPF going forward.
• However, businesses should take note that the DPF:
  • Only applies to those US organisations that certify under it.
  • Is subject to periodic review by the EC, European Data Protection Authorities and competent authorities. It is also open to challenge before the European Courts (as the Privacy Shield was in Schrems II).
• If you are proposing to transfer personal data from the EU to the US, you should check whether the US importer is certified under the DPF and that the proposed transfer would be covered by that certification. You might also need to update your privacy notice(s) to reflect that you transfer data internationally under the DPF scheme.
• The DPF retains some similarities with its Privacy Shield predecessor. If you are a US business and were certified under the Privacy Shield scheme, you should be in a good starting position to self-certify under the DPF.
• Lastly, the adoption of the DPF bodes well for the introduction of a UK to US “data bridge”, which would serve to extend the DPF to transfers of personal data from the UK to the US. We discuss this topic in more detail in our article “A (Data) Bridge to….the US: How the EU’s American Dream Will Extend to the UK” elsewhere in this newsletter.