The European Commission has adopted its adequacy decision on the EU-US Data Privacy Framework (The Framework). The decision, which became effective on 10 July 2023, means that the United States offers an adequate level of protection, comparable to that in the EU, for the transfer of personal data from the EU and the US. Companies in the US will be able to join The Framework by committing to comply with certain privacy obligations.

It has been a long road to get to this adequacy decision. Over the last 8 years, the Court of Justice of the European Union (CJEU) invalidated the US-EU Safe Harbor Framework (also known as Schrems I) in 2015, the EU-US privacy shield came into effect in 2016 before it was invalidated in 2020 by the CJEU (known as Schrems II). The introduction of an executive order to implement the new EU-US Data Privacy Framework was introduced in October 2022, nine months before the adequacy decision was put in place.

What is an adequacy decision? 

An adequacy decision is one of the approved methods of transferring personal data, under the General Data Protection Regulation (GDPR), from the EU to a third country. For an adequacy decision to be reached the third countries must offer a comparable level of protection of personal data to that in the EU. This allows for the free flow of personal data safely between the EU and the third country without the need for other safeguards, such as standard contractual clauses, to be in place.

How does the Framework work in practice and what does this mean for US companies?

Companies in the US will be able to self-certify their participation in the framework and will need to re-certify annually. By certifying, these companies agree to comply with their privacy obligations which include but are not limited to, the Data Protection Principles (purpose limitation, data minimisation etc.) and how they transfer data securely to third parties. The Framework also provides individuals in the EU several new data protection rights, including how to obtain access to their data and how to request deletion of their data, when their data is being transferred to US companies who have signed up to participate with the framework. The US Department of Commerce will ensure that the US companies involved continue to meet the requirements of The Framework. Companies will also need to update their privacy policies within three months to ensure their policies refer to the "EU-US Data Privacy Framework Principles".

The European Commission will also review the adequacy decision a year after it comes into force, to ensure that The Framework is working effectively, and further reviews will take place at least every four years. It is important to note that, if developments occur which affect the level of protection the third country can offer, the adequacy decision can be removed or adapted at any time. The European Commissioner has said: "The adequacy decision ensures that data can be transmitted between the European Union and the US on the basis of a stable and trusted arrangement that protects individuals and provides legal certainty to companies." The data flow between Europe and the US is larger than anywhere else in the world and so this decision will help the economic relationship between them.

Whilst this currently only affects EU members, a press release from the Department for Science, Innovation and Technology in the UK has said there is a commitment between the UK and the US to establish the UK extension of the Data Privacy Framework which will create a ‘Data Bridge,' allowing the transfer of personal data between the UK and the US without the need for any further transfers mechanisms to be put in place. In the meantime, UK businesses with European entities may be able to benefit from the framework when transferring data from the UK to the US although this will of course depend on the particular circumstances. 

What happens now?

On 17 July 2023, the Data Privacy Framework website was published, which is where businesses can certify their participation in The Framework. It also sets out an overview of The Framework and has updates on the developing Framework as the UK extensions come into play. For now, UK companies will still need to ensure appropriate safeguards are in place for the transfer of personal data to the US.

For more information on International Data Transfers, or to discuss data protection issues your business may be facing, please contact us directly at Dataprotection@prettys.co.uk.To receive our latest updates, developments and invites to our events, please join our Data Protection Hub here.