On 10th July 2023, the European Commission announced it had adopted its adequacy decision for the transfer of data between the EU and US (the EU-US Framework). This comes just three years after it had invalidated the previous framework, ‘Privacy Shield’.

So, what has changed in that time, and how does this affect the UK?

The European Commission

The European Commission help shape the European Union’s (EU’s) strategy by proposing, implementing and monitoring EU laws and policies (including in relation to privacy and data protection). The EU’s General Data Protection Regulations (EU GDPR) grants the European Commission the power to decide if a non-EU country has an ‘adequate level of protection’ compared to that of EU countries. When the EU deem a country to be ‘adequate’, those countries are permitted to engage in data transfers with EU countries and do so without additional safeguards in place (such as complying with the EU’s standard contractual clauses (SCC’s)).

Why was Privacy Shield invalidated?

In July 2016, the European Commission deemed the EU-US ‘Privacy Shield’ Framework as adequate, enabling data transfers to and from the US. This was short-lived, however, as in July 2020, the Court of Justice of the European Union (CJEU) issued a judgement declaring the Privacy Shield as ‘invalid’, immediately preventing EU businesses from freely transferring data to the US.

A contributing factor to this judgement stems back to US government surveillance powers. Such powers included targeting non-US data subjects’ communications outside of the US and accessing communications without first seeking a court order. The invasive nature of this level of access from the US government contradicts numerous core principles of the GDPR, such as transparency, integrity and confidentiality.

The Privacy Shield framework also limited US protection for non-US-based data subjects ‘to the extent necessary to meet national security’. This was interpreted by the CJEU as allowing the opportunity for US public authorities to access and use personal data that originated from the EEA, without necessary limitations and safeguards. Such shortfalls led to a lack of judicial remedy for EU data subjects as a Privacy Shield ombudsperson would not meet the standard of a wider ‘tribunal’. This would prevent data subjects from asking judges to review US authority actions and ultimately fall short of yet another GDPR principle: accountability.

EU-US Data Privacy Framework

As of 10th July 2023, there is now a new framework in place called the EU-US Data Privacy Framework. This means, if the framework is followed, that the US is now an ‘adequate’ country for the EU to freely transfer data to. The President of the European Commission, Ursula von der Leyen, welcomed the introduction of the new framework, saying it ‘will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic’.

With the new framework being introduced, so too is the Data Protection Review Court. The Data Protection Review Court (or ‘DPRC’) addresses some of the aforementioned concerns. Specifically, it will act as an independent body that will investigate and aim to resolve complaints with the power to enforce remedial measures. The European Commission suggests that if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order deletion of the data, thus remedying the previous accountability issue relating to the US public authorities.

Additionally, access control from the US public authorities has been limited to what is ‘necessary and proportionate’, tightening up the free reign that surveillance powers previously exercised. The public authorities, alongside all US businesses, will be obligated to delete personal data when its purpose has been served. This approach may be seen as an attempt to restore the transparency and confidentiality principles lacking in the previous framework.

In any case, it remains to be seen how the framework will operate in practice and whether it will fully address the shortfalls of the prior Privacy Shield. Well-known privacy activist, Max Schrems, who played a central role in challenging the 2016 Privacy Shield, has questioned the new framework and believes it does not sufficiently address the ‘fundamental’ surveillance issues. As it stands, however, the new framework is in immediate effect, and US businesses can self-certify and engage in free-flowing data transfers with EU countries.

What about the UK-US Relationship?

Following the UK’s departure from the European Union, the framework does not have a direct effect on UK to US transfers, as the UK is responsible for making its own determinations of adequacy and implementing its own mechanisms for international transfer.

For a UK business to transfer data to the US, there is currently no adequacy decision (although, this is a commitment of the Department for Science, Innovation and Technology). Instead, they would need to comply with an international data transfer mechanism as approved by the Information Commissioner’s Office. For more information on this, please read International Data Transfers from the UK – What you need to know for your Business.

 

If you have any further enquiries regarding the EU-US Framework, please feel free to contact our Intellectual Property, Data Protection & Technology team and we would be happy to help.