New EU-US Data Privacy Framework adopted

New EU-US Data Privacy Framework adopted


11th July 2023

Background

The transfer of EU-based individuals’ data outside Europe is governed by the EU data protection regulation (“GDPR”). There is a particular sensitivity over transfers of data from the EU to the US given concerns about the security of the data once it is in the US and the ability for data to be accessed by US intelligence authorities.

Given the volume of data which is routinely transferred from the EU to the US, there have been multiple attempts to ‘safeguard’ these data transfers by giving US companies a way to become certified against criteria approved by the EU, which gives them an EU ‘gold standard’ and provides assurances as to the security of individuals’ data for the purpose of the data transfer. Another practical benefit is that it avoids the need for companies to enter into detailed individual data transfer documentation (usually using EU-approved "Standard Contractual Clauses"), which can be burdensome, particularly in the case of group company transfers.

How did we get here?

By way of a short history:

  • For those of us that have been doing data protection since before it was fashionable, you may remember the Safe Harbour Agreement, which allowed the free transfer of EU data to the US. This mechanism was invalidated in 2015.
  • Then followed the Privacy Shield, which had a similar objective, and which was also invalidated in July 2020 by a decision of the Court of Justice of the European Union. 

The new Data Privacy Framework

On 10 July 2023, the European Commission adopted the new Data Privacy Framework.

Under the new Data Privacy Framework, where individuals’ data is transferred from the EU (note: not the UK) to the US (provided that the receiving company in the US has signed up to the terms of the Data Privacy Framework), no additional safeguards (or paperwork!) are needed and the personal data will be able to flow freely.

The Data Privacy Framework will be administered and monitored by the US Department of Commerce and the US Federal Trade Commission will be responsible for enforcing US companies' compliance under this mechanism.

How is this mechanism different?

The European Commission has said that the Data Privacy Framework introduces new binding safeguards to address the concerns that were previously raised by the Court of Justice of the EU in relation to the Privacy Shield, including limiting access to EU data by US intelligence services to what is “necessary and proportionate”, and establishing a Data Protection Review Court (“DPRC”), to which EU individuals will have access.

The European Commission has said that this new framework represents a significant improvement compared to the Privacy Shield, since if, for example, the DPRC finds that there has been a violation of the new safeguards, it will be able to order the deletion of the data.

In addition to this, US companies that subscribe to the Data Privacy Framework will need to comply with additional detailed obligations regarding protection of the data. For example, they will need to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is further shared with a third party.

The Data Privacy Framework will be subject to periodic reviews by the European Commission, the first review being within the first year.

What next?

In the coming months we are likely to see a number of international companies, that routinely transfer data from the EU to the US, signing up to this new mechanism.

It remains to be seen whether this mechanism adequately addresses the data security concerns that caused its two predecessors to be invalidated and whether this may be open to challenge. But for the moment, this is good news for international businesses.