EU-US Data Privacy Framework: the details

On 10 July 2023, the European Commission adopted an adequacy decision in relation to the EU-US Data Privacy Framework.

The Framework now becomes an alternative legal mechanism under which personal data can be transferred from the EU to the US. Using the Framework will remove the need to use another mechanism, such as standard contractual clauses, and also removes the need to conduct a transfer impact assessment in relation to the transfer.

How will it operate?

Each US company wishing to use the Framework will need to self-certify its compliance with certain essential privacy rules (along the lines of the key GDPR requirements) with the US Federal Trade Commission (FTC). Once registered, data transfers from the EU to that US company can commence under the Framework.

Only companies which are subject to the FTC’s jurisdiction can participate in the Framework; businesses subject to other regulatory regimes (such as banks, insurers and telcos) are not eligible to join, although if they do voluntarily agree to abide by the Framework’s principles, that should make it easier for them to successfully pass a transfer impact assessment whilst relying on standard contractual clauses.

What about transfers out of the UK?

Data transfers between the UK and the EU are already covered by mutual adequacy recognition as part of the post-Brexit arrangements. The UK government has indicated that it would like to build on the Framework in relation to its own adequacy decision for UK-US data transfers, which is likely to form part of the “data bridge” recently announced by Prime Minister Rishi Sunak and the President of the United States, Joe Biden. This is still in development but an announcement is expected soon.

Is this the same as Safe Harbor or Privacy Shield?

The two key previous attempts at an EU-US data transfer scheme – Safe Harbor and Privacy Shield – both failed to defeat legal challenges in the Court of Justice of the EU (CJEU). For the Framework, changes have been made to a number of areas (the policies of various security agencies, allowing the EU countries to benefit from the protections provided and establishing a “Data Protection Review Court”, for example) which were in place under Privacy Shield in an attempt to ensure that the Framework complies with GDPR requirements and will not suffer the same fate as its predecessors.

Will the Framework succeed?

Schrems I brought down Safe Harbor in 2015. Schrems II took out Privacy Shield in 2020. Max Schrems, an Austrian activist and lawyer, has already said that he plans to bring a challenge to the Framework decision soon and expects this issue to be at the CJEU at the beginning of 2024. The Framework might be a short-lived solution.

Next steps

If you are a business transferring personal data from the UK or the EU to the US, you should already have in place an appropriate transfer mechanism – probably standard contractual clauses. Whilst the Framework is being set up, there is no need to make any change to your arrangements – other than perhaps updating your “transfer impact assessment” in relation to transfers to the US, as this new EU adequacy decision essentially offers additional validation for the safeguards provided by the US system. In due course, some US companies will start to self-certify under the Framework and then inform their EU and UK partners that they wish to use the Framework to govern their data transfers (and so perhaps terminate any other contractual arrangements in place). At that point, careful consideration will need to be given to the proposal and the best way forward.

If you have questions about the EU-US Data Privacy Framework, please contact Dan Tozer.