18 July 2023
In July 2023, the European Commission confirmed that it had adopted an adequacy decision in respect of the EU-US Data Privacy Framework. The decision states that the Commission considers that the data protection safeguards which the Framework provides, are comparable to those provided by EU law.
The Framework allows US companies to sign up to the Framework after self certifying that they comply with a number of detailed requirements designed to ensure the protection of personal data. Re-certification is required on an annual basis and the Framework provides a public database of certified companies which allows EU contracting parties to verify that their US counterparts are registered with the Framework.
|
Sounds familiar? It should. Organisations and individuals sending personal data abroad will no doubt be familiar with the legal twists and turns that international data transfers have taken over recent years. In 2020 the Privacy Shield framework was struck down after the Court of Justice of the EU issued its decision in Facebook Ireland and Schrems (C-311/18), holding that US law did not afford a level of protection of personal data which was similar to that enjoyed by EU citizens. Privacy Shield, like the Framework, was based on a self certification model. Following that decision, transfers of personal data could no longer be made from the EU to the US on the basis of Privacy Shield alone.
Instead, transfers had to be made by another mechanism approved by EU law, such as Standard Contractual Clauses or Binding Corporate Rules. However, transferors of data were also required to carry out due diligence to ensure that the US did, in fact, have adequate levels of protection for personal data. The effect of this was to place a significant burden on organisations to carry out that diligence. In practice, this often meant seeking US legal advice on the applicable state and federal law. A process that, if carried out properly, often resulted in significant investment of time and expense to the transferor. While the exercise was largely a risk based assessment, those transferors who undertook that diligence were subject to a significantly increased burden in terms of ensuring compliance with EU data protection law.
The Privacy Framework (like Privacy Shield) removes the need to carry out that due diligence, smoothing the way for data to be transferred more easily. However, the Privacy Framework is not without its critics. NYOB – The European Center for Digital Rights (founded by Max Schrems) has already indicated that it intends to challenge the Privacy Framework. Any challenge is likely to take some time before a ruling is made on the validity of Privacy Shield but the position may not yet be finally settled.
In the meantime, the UK continues to work on its “data bridge” with the US. While in the early stages, this will effectively be an extension of the Framework and allow data sharing between the UK and the US based on the same principles.
Lynn Richmond, Partner & Accredited Specialist in Intellectual Property: lyr@bto.co.uk / 0131 222 2939