International data transfers to the US – still on shaky ground

International transfers of personal data have been a tricky subject for many businesses since the introduction of the GDPR in 2018 and even more since June 2020 when the protection Privacy Shield was removed by the European courts.

Recently there have been developments, and while there appears to have been a rapprochement between the EU, the UK and the US to make transfer to the US easier, we fear this may not last long.

European personal data

On 10 July 2023, the European Commission announced the adoption of an “adequacy decision” on the EU-US Data Privacy Framework (“DPF”) as a consequence of the recent US announcement of new measures to protect European personal data. The DPF will be administered and monitored by the US Department of Commerce and was launched on 17 July 2023.

Where US companies register with the DPF, they will effectively be deemed to have received an adequacy decision in their favour. This means that transfers of European personal data will now be possible without all the additional papers previously required for international transfers. For many European businesses who have US parent companies, or are using US software providers or cookies, or are working with US suppliers or distributors, the risk involved in making personal data transfers to the US is resolved.

US companies can join the DPF by self-certifying, and annually re-certifying, their compliance with a set of privacy obligations using the new website. The registration system is not open to all US businesses and the process is laborious and costly. It is reported elsewhere that US businesses are taking a “wait and see approach” to signing up, largely due to an Austrian activist named Max Schrems threatening to challenge the validity of the DPF in the near future.

UK position

A separate commitment in principle was announced in June and confirmed this week by the UK government, for the UK to join the EU’s DPF by extension – a new ‘data bridge’ created for the UK to transfer personal data to the US using very similar mechanisms as the EU DPF model will be available from the 12 October 2023.

This means that transfers of UK personal data can be made to US recipients who are registered to the DPF for UK transfers without reliance on any “appropriate safeguards” or derogations: the transfers can essentially be made on the same basis as any data processing or sharing takes place within the UK or the EEA.

The first step for UK exporters of personal data to the US will therefore be to ask whether the recipient is registered to the DPF data bridge. If not, then no adequacy decision protects the transfer and personal data should continue to be protected by use of appropriate safeguards – often the International Data Transfer Agreement or Addendum with a transfer risk assessment in support.

DPF and the data bridge – a temporary solution?

The basis for the new US measures to protect European and UK privacy in e-communications are an executive order passed by President Joe Biden, which is a means of law-making that can easily be changed or repealed, either by Biden’s own administration or any subsequent administration. As a result, there is scepticism as to how long the measures will be in place. In addition, there are doubts as to whether the new measures passed fully satisfy the requirements of adequacy, and intended challenges to the DPF have already been announced by Schrems and his privacy group, NOYB.

This is an updated version of an article on this topic from July 2023. You can read that version here.