International transfers of personal data have been a tricky subject for many businesses since the introduction of the GDPR. Unless a territory outside of the EEA and UK has an ‘adequacy decision’ in its favour from the EU Commission, such a transfer usually involves additional papers – either binding corporate rules which are increasingly rarely relied on by companies, or the preparation of Standard Contractual Clauses and/ or the International Data Transfer Agreement supported by transfer risk assessments. We’ve advised numerous clients on how to make such transfers compliantly, whether to members of their own international group of companies or to an unconnected business abroad.
One of the most controversial, but nonetheless common, territories for transfer into was the US but this situation has now been resolved – temporarily at least!
European personal data
On 10 July 2023, the European Commission announced the adoption of an adequacy decision on the EU-US Data Privacy Framework (DPF), as a consequence of the US’s recent announcement of new measures to protect European personal data. The DFP will be administered and monitored by the US Department of Commerce and was launched on 17 July 2023.
Where US companies adhere to the DPF, transfers of European personal data will now be possible without all the additional papers required for international transfers otherwise. This means that for many European businesses who have US parent companies, or are using US software providers or cookies, or are working with US suppliers or distributors, the risk involved in personal data transfers to the US is resolved.
US companies will be able to join the DPF by self-certifying, and annually re-certifying, their compliance with a set of privacy obligations using the new website.
UK personal data
The European Commission decision applies only to European personal data transfers and a separate commitment in principle has been announced for the UK to join the EU’s DFP by extension – a new ‘data bridge’ created for the UK to transfer personal data to the US using very similar mechanisms as the EU DPF model.
The US has confirmed that from 17 July 2023, eligible US organisations wishing to self-certify compliance pursuant to the UK data bridge-extension to the EU-US DPF may do so. However, they may not begin relying on the UK extension to receive personal data transfers from the UK before the date that the UK’s relevant adequacy regulations enter into force.
Very soon, UK based business should be able to make transfers of personal data from the UK to the US without the risk of breaching data protection laws and facing fines or other consequences.
DFP – a temporary solution?
The basis for the new US measures to protect European and UK privacy in e-communications are an executive order passed by President Joe Biden, which is a means of law making that can easily be changed or repealed, either by Biden’s own administration or any subsequent administration. This means there is some question as to how long the measures will be in place. In addition there are doubts as to whether the new measures passed satisfy the requirements of adequacy, and intended challenges to the DFP have already been announced by Schrems and his privacy group, NOYB.
You can see an updated version of this article HERE.