The European Commission recently published its draft adequacy decision on the EU-US Privacy Framework (the Framework), which will allow for the safe transfer of data from European companies to US companies without the need for additional protection safeguards. In short, it will allow for the transfer of data to third countries to be handled in the same way as the intra-EU transmission of data.

The decision comes after the previous adequacy decision on the EU-US Privacy Shield was invalidated.

What is an adequacy decision?

An adequacy decision is one of the tools provided under the General Data Protection Regulation (GDPR) (or UK GDPR) to transfer personal data from the European Union (EU) to third countries. These third countries offer a comparable level of protection of personal data to that of the EU. An adequacy decision allows for the free flow of personal data safe from the EU to a third country without being subjected to further stringent conditions or authorisations.

How will the decision work in practice?

Companies based in the US will be able to certify their participation in the Framework and will commit to complying with a set of key privacy obligations. These obligations will include complying with the purpose limitation principle and the data retention principle under GDPR.

The Framework will also allow EU members to benefit from various remedies if the handling of their personal data is in direct violation of the Framework.

So what’s next?

The new Framework will be reviewed by the European Data Protection Board (EDPB), which will then put forward the proposal before a committee of EU Member State representatives. The European Parliament will also have a right of scrutiny over the draft decision. If approved, it is estimated that the adoption process will take around six months.

The functioning of the Framework will be subject to regular reviews which will verify whether all relevant conditions of the Framework have been fully implemented and are functioning as they should.

What are companies expected to do in the meantime?

Companies should continue to rely on the other transfer mechanisms available under the GDPR and should continue to follow the EDPB’s recommendations on measures that supplement transfer tools, for example introducing Standard Contractual Clauses into commercial contracts. We anticipate that further guidance on the new adequacy decision will be published in due course.

It is important to note that this is, however, an EU decision on adequacy and not a UK one. Therefore, if this is introduced, it will apply to companies in the EU who want to make transfers to the US (and not to UK-based companies). UK companies will have to wait and see whether a UK-US adequacy decision is made, which we will hopefully see in 2023. However, in the meantime, UK companies will need to make sure that they have other safeguards in place to lawfully transfer data to the US.

For more information, or to discuss the issues facing your business, please contact me directly or join our Data Protection Hub here.