EU–US Data transfers: Draft adequacy decision published
On 13 December 2022, the European Commission issued a draft adequacy decision for data flows between the US and EU.
Background
Any international transfers of personal data under the GDPR (adopted in the UK via the UK GDPR) need to ensure the third country (the country to which the data is transferred) has adequate levels of data protection. This requires either an “adequacy decision” or another appropriate safeguard.
Previously, data transfers between the EU and US were permitted if they followed the mechanisms in the EU-US Privacy Shield. However, the Privacy Shield was ruled invalid in July 2020 by the European Court of Justice in the “Schrems II” case.
Since July 2020, data transfers between the EU and US have required alternative safeguards (for example, Standard Contractual Clauses or Binding Corporate Rules). The Schrems II Ruling also outlined that additional safeguards are needed when relying on Standard Contractual Clauses.
Draft adequacy decision
The draft decision issued by the EU concludes that the US framework provides comparable safeguards to those in the EU. US organisations will be permitted to join the EU-US Data Privacy Framework (the “Framework”) if they commit to complying with a detailed set of privacy obligations. For example, personal data will need to be deleted when it is no longer necessary for the purpose for which it was collected, and protection of data must continue when personal data is shared with third parties. There will be new redress avenues for EU citizens if their data is handled in a way that does not comply with the Framework.
This development will be welcomed by both controllers in the EU and the US as it would allow a smoother transition of data between the countries.
Next steps
The draft adequacy decision will now be sent to the European Data Protection Board (EDPB) for its opinion. Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. The European Parliament may also scrutinise any draft adequacy decision. Once this procedure is completed, the Commission can adopt its final adequacy decision.
If approved, the Framework will be subject to periodic reviews. These will be carried out by the European Commission, together with European data protection authorities, and the competent US authorities. The first review will take place within one year after the adequacy decision comes into force.
How does this impact the UK?
While the draft adequacy decision is for EU-US data transfers, the UK will likely be keeping a very keen eye on developments. If an adequacy decision is adopted, via the Framework, for data transfers between the EU and US, it is likely the UK will seek a similar arrangement for UK–US data transfers, as the UK has a similar data protection regime under the UK GDPR.
This article was first published on 15 December 2022 by our UK member firm Doyle Clayton. If you require any assistance on data transfer arrangements, please contact our Data Protection specialists Piers Leigh-Pollitt, Partner & Compliance Officer for Legal Practice and Mike Hibberd, Senior Associate at Doyle Clayton.