FAQs: EU-US data privacy framework approved

EU permits unrestricted flow of personal data with immediate effect.

On 10 July 2023, the European Commission adopted its adequacy decision on the EU-US Data Privacy Framework (the "EU-US Framework"), and the EU-US Framework has now entered into force with immediate effect. The EU-US Framework provides a mechanism for personal data to flow safely from the EU to US organisations participating in the EU-US Framework, without having to put in place additional data protection safeguards.

Q1: What is the EU-US Framework and why is it necessary?

The EU-US Framework is a mechanism to enable compliance with EU data protection requirements when transferring personal data from the EU to the U.S. This mechanism is the third attempt at a data transfer mechanism for transatlantic data flows after the Safe Harbor and Privacy Shield were invalidated by the Court of Justice of the European Union (CJEU) in 2015 and 2020 respectively.

Both the EU General Data Protection Regulation (GDPR) and its UK equivalent (UK GDPR) impose restrictions on the transfer of personal data to third countries that have not been recognised as providing an adequate level¹ of protection for personal data. The strict conditions under which data transfers are permitted are designed to ensure that personal data that benefits from the protections under the GDPR continues to benefit from an equivalent standard of protection in the jurisdictions to which the data is exported.

There are different mechanisms provided for under the GDPR that businesses can rely on for ensuring EU, or UK, data protection standards continue to apply to personal data when exported. Adequacy decisions are one such mechanism and the EU-US Framework and any subsequent agreement between the UK and US  (once in place) constitute adequacy decisions.

Q2: What is the timeline leading to the adoption of the EU-US Framework?

• March 2022: President von der Leyen and President Biden reach an agreement in principle on a new trans-Atlantic Data Privacy Framework.
• October 2022: President Biden signs an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ implementing the EU-US Framework replacing the Privacy Shield. The Executive Order introduces new binding safeguards to address the points raised by the CJEU in its Schrems II decision in July 2020. New obligations under the Executive Order include (i) limitations of signals intelligence activities to those which are proportionate and necessary; and (ii) a two-layered mechanism for oversight and redress to handle and resolve complaints from Europeans about the collection of their data for national security purposes. For a summary of the Executive Order, please see our previous article.
• December 2022: The European Commission publishes a draft adequacy decision endorsing the proposed EU-US Framework.
• February 2023: The European Data Protection Board adopts its opinion on the draft adequacy decision.
• May 2023: non-binding resolution of the European Parliament.
• July 2023: Member State representatives approve the draft adequacy decision and US Secretary of Commerce Gina Raimondo issues a statement saying that the US has now fulfilled its commitments for implementing the EU-US Framework.
• July 2023: the European Commission announces that the EU-US Framework is to be adopted.

Q3: What is the impact of the adopted EU-US Framework?

Now that a final adequacy decision has been adopted in the form of the EU-
US Framework, data is able to flow freely and safely between EU and US companies certified by the US Department of Commerce. US companies will be able to join the EU-US Framework by committing to comply with a detailed set of privacy obligations (known as "self-certifying").

The approval of the EU-US Framework will also have a bearing on transfer impact assessments ("TIA") completed by companies. For those relying on the EU-US Framework, a TIA will technically not be needed as the adequacy decision for the EU-US Framework replaces the adequacy assessment in the TIA. However, previously completed TIAs may need to be revisited in light of the changes in US surveillance laws and TIAs will need to be completed if you are (1) relying on other transfer mechanisms; or (2) transferring data to US organisations not certified under the EU-US Framework; or (3) transferring personal data to any other third countries. For companies relying on other transfer mechanisms, the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used, and therefore such measures facilitate the use of other tools, such as Standard Contractual Clauses and Binding Corporate Rules, and overall lower the risk of transferring personal data to the US. Our Ctrl Transfer tool provides an effective and swift risk assessment of cross-border data transfers.

From the perspective of EU individuals, the EU-US Framework will provide such individuals with new rights, e.g. to obtain access to their data and to correct or delete incorrect or unlawfully handled data, as well as offering a redress mechanism in case their data is handled incorrectly.

The announcement of the EU-US Framework has been eagerly awaited by many US-headquartered companies, whose services require cross-border data flows such as AI, cloud computing and social media platforms, and for whom the adequacy decision will be a key facilitator in the trans-Atlantic technology and data economy.

Q4: Does the EU-US framework apply to transfers from the UK to the US?

The EU-US Framework applies to data transfers between the EU and the US but does not apply to data transfers from the UK to the US.

On 8 June 2023, officials from the UK and US announced that they had reached a commitment in principle to establish a data bridge between the two countries ("UK-US Data Bridge") aimed at providing a robust and reliable mechanism for transatlantic flows of personal data. From the UK's perspective, the US is a priority for an adequacy decision and, if granted, would be the second adequacy decision the UK has implemented (the first was adopted in relation to the Republic of Korea) following the UK's withdrawal from the EU in January 2020. The UK may therefore soon have its own version of the EU-US Framework in place.

Q5: What is different about the EU-US Framework compared to previous transfer mechanisms?

The EU-US Framework introduces new binding safeguards to address concerns previously raised by the CJEU, including:

• limiting access to EU data by US intelligence services to what is necessary and proportionate to protect national security;

• establishing a two-tier redress system to investigate and resolve complaints of Europeans on access of data by US Intelligence authorities, which includes a Data Protection Review Court. The DPRC will independently investigate and resolve complaints, including by adopting binding remedial measures; and

• introducing obligations for companies processing data transferred from the EU, which includes the requirement to self-certify that they adhere to the standards through the US Department of Commerce.

Overall, the EU-US Framework is intended to introduce significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.

Q6: How does the EU-US Framework impact Member States?

The European Commission's adequacy decision is binding, which means that data protection authorities in Europe's Member States must accept the adequacy decision as creating a valid mechanism for data transfers to the US. If a Member State questions the compatibility of the adequacy decisions with the fundamental rights of an individual to privacy and data protection (such as a complaint from a data subject), the data protection authority can use legal remedies under national law to put those objections before a national court. National courts may be required to make a reference for a preliminary ruling to the CJEU.

Q7: How is the EU-US Framework perceived in EU Member States?

Germany's largest association of the digital economy, Bitkom, highlighted that data transfers are a central component of the global economy across all industries and that impeding or even prohibiting data transfers simply cannot be compensated for by alternative solutions and poses equally serious challenges for German and EU companies as well as to supply chains. As such, the EU-US Framework is perceived by Bitkom as being very positive for EU-companies. It is, however, certain that this new EU-US Framework will be subject to court proceedings. Critics of the EU-US Framework, e.g. the data protection activist Max Schrems, allege that the EU-US Framework "is largely a copy of the failed 'Privacy Shield'" and that "there has been little change in US law". As such, whether the EU legislator has found with the new EU-US Framework a legal framework that in the end will be accepted by the European Court of Justice, needs to be seen.

Q8: How do US companies self-certify and become EU-US Framework participants and what actions will they need to take?

US companies will be able to join the EU-US Framework by committing to comply with a detailed set of privacy obligations (the "EU-US Framework Principles"), for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. The EU-US Framework Principles are an updated version of the principles established under the Privacy Shield framework and organisations that were already certified under the Privacy Shield framework will still be required to self-certify under the EU-US Framework but will likely be contacted by the US department of Commerce regarding recertification.

Any US companies (whether previously certified under the Privacy Shield or not) that commit to comply with the EU-US Framework Principles must reflect those privacy obligations in their privacy policies.

The EU-US Framework will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements. Compliance by US companies with their obligations under the EU-US Data Privacy Framework will be enforced by the US Federal Trade Commission.

Q9: What happens next?

As with all adequacy decisions, the European Commission will regularly review the decision, with the first review taking place within one year of adoption. The first review will check whether all relevant elements of the US legal framework are functioning effectively in practice and the frequency of subsequent reviews will depend on the outcome of that first review. Adequacy decisions can be amended or withdrawn depending on developments affecting the level of data protection in the third country, so there is a possibility that the adequacy decision could undergo further change.

Q10: If I transfer data from the UK / Europe to the US, what do I need to do now?

Data exporters in the EU

• Although the adequacy decision entered into force on the day of its adoption (10 July 2023), companies will need to check (via the EU-US Framework website) prior to the transfer whether the data recipient is actually certified.

• Some EU data exporters who were already relying on Standard Contractual Clauses or Binding Corporate Rules may wish to continue to rely on such tools. Such mechanisms are still valid, however data exporters should review the impact of the adequacy decision on those measures, as well as any relating TIAs.  

• No TIA is required for transfers to data recipients certified under the EU-US Framework, however TIAs are still required for transfers to US entities that are not certified.

• For companies relying on the EU-US Framework, they should consider whether to agree contractual protections to oblige the data recipient to remain certified and to observe the EU-US Framework Principles and flow these obligations down to other third party recipients, as applicable.

• Consider whether it would be sensible to agree Standard Contractual Clauses as a fallback option in the event that the US data recipient ceases to be certified or if EU-US Framework is struck down (as was the case with the Safe Harbor and Privacy Shield).

Data exporters in the UK

• Continue to rely on your existing transfer mechanisms until the UK-US Data Bridge is formally announced.

To book a demo of our CtrlTransfer tool or for more information, please contact Emily Jones.

¹ Adequacy does not require the third country's data protection system to be identical to the one of the EU, but is based on the standard of ‘essential equivalence'. The third country’s data protection framework will be assessed to check how personal data is protected and what redress mechanisms are available to data subjects.