On the eve of the American Independence Day celebrations, the US Department of Commerce announced that it had fulfilled its obligations under the Trans-Atlantic EU-US Data Privacy Framework, the proposed successor to the Safe Harbor and Privacy Shield arrangements for ex-EEA transfers of personal data to the USA, both of which were struck down by EU courts.

The announcement followed the designation by the US Attorney General on 30 June 2023 of the European Union, Iceland, Liechtenstein, and Norway as qualifying states for the purposes of the redress mechanism established under Executive Order 14086 of October 2022, with the designation taking effect upon the adoption by the European Commission of its adequacy decision in respect of the US.

Disregarding the European Parliament’s May vote in favour of re-opening negotiations with the US, following an overwhelmingly positive written vote by the Committee on the protection of individuals with regard to the processing of personal data and on the free movement of such data (2018) on a revised draft adequacy decision, on 10 July 2023 the European Commission proceeded to take steps to liberate data controllers and processors in the EEA from the tyranny of post-Schrems II transfer risk assessments, contractual clauses, and supplementary measures by adopting Commission Implementing Decision C(2023) 4745 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the GDPR) on the adequate level of protection of personal data under the EU-US Data Privacy Framework, finding that, having  “carefully analysed U.S. law and practice, including EO 14086 and the AG Regulation”, “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the Union to certified organisations in the United States”.

What does this mean for transfers of personal data from the EEA to the USA?

From today, 11 July 2023, transfers of personal data from the EEA to an organisation in the US which is self-certified under the EU-US Data Privacy Framework can rely on the European Commission adequacy decision as the legal basis to effect the transfer.

The US Department of Commerce’s International Trade Administration has published a website, which currently remains under construction, which will provide details on how to self-certify and the organisations which have self-certified.

Once operational, the mechanism will counteract some of the recent adverse decisions of supervisory authorities and the courts threatening the viability of alternate mechanisms for the transfer of personal data to the US, in particular the sufficiency of supplementary measures to the standard contractual clauses, including the Irish Data Protection Commission’s decision against Meta Platforms Ireland Limited which included an order which would require Meta to suspend future transfers of personal data and a fine of €1.2 billion and the decision of the Swedish data protection authority, IMY, to issue administrative fines and orders to cease transfers of personal data in the context of deploying Google Analytics (merely the latest in a series of decisions by supervisory authorities across the EEA to this effect).  

What does this mean for transfers of personal data from the UK to the USA?

Nothing as yet.

While the UK has indicated its intention to piggy-back on the Trans-Atlantic EU-US Data Privacy Framework, the Secretary of State for Science, Innovation and Technology has not as yet issued adequacy regulations in respect of the US pursuant to Article 44(1) UK GDPR and s.17A Data Protection Act 2018. She will no doubt have been hesitant to do so pending the adoption by the European Commission of its adequacy decision in respect of transfers to the US, for fear of jeopardising the European Commission’s adequacy decision in respect of the UK. Nor has the US Attorney-General as yet designated the UK as a ‘qualifying state’ for the purposes of Executive Order 14086, although we do not anticipate there being any barrier to this in due course.

Pending any such developments, the mere fact of the European Commission’s adequacy decision will, however, be a relevant factor to reflect in transfer risk assessments / transfer impact assessments.  

Should we change the legal basis for transfers of personal data to the US from appropriate safeguards based on standard data protection clauses under Article 46(2)(c) GDPR to rely on the adequacy decision under Article 45 GDPR?

For ex-EEA transfers, first of all you will need to ensure that the US entity to which you propose to transfer personal data is self-certified under the Framework. It will likely take weeks or perhaps months for self-certifications to become effective. It should be noted that not all US entities will be amenable to self-certification under the Framework; to be eligible entities must be subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC) or the US Department of Transportation (DoT) and this excludes banks, airlines and insurers, for example, from its remit.

Any change of legal basis for existing transfers would necessitate an update to the transparency information provided to data subjects in the form of a privacy notice or privacy policy pursuant to Articles 13 and 14 GDPR. Similarly, any records of processing activities required by Article 30 GDPR should also be updated. 

Data importers in the US which self-certify may be keen to move to the adequacy decision as the legal basis for transfers and to implement consequential contractual amendments to existing data transfer agreements, removing references to standard contractual clauses (SCCs) and supplementary measures, and minimising additional burdens upon them.

There is a real risk, however, that the Framework will prove to be short-lived. NOYB – the European Center for Digital Rights, has already pledged to challenge the adequacy decision, having already completed its preliminary preparations to being a challenge and expects that the European Court of Justice will hear its challenge early in 2024.

We therefore anticipate that controllers and processors will approach the new transfer mechanism with some trepidation, particularly in relation to existing transfer arrangements, and may instead decide for the time being to maintain reliance on standard contractual clauses and supplementary measures, updating their transfer risk assessments / transfer impact assessments to reflect the adequacy decision while not explicitly relying on it to justify the transfers. This may depend upon the complexity of their transfer arrangements and the availability of alternative personal data transfer mechanisms.

Any new data transfer agreements which propose to rely on the adequacy decision should include provision to permit such contractual amendments as are necessary to rely on an alternate legal basis for transfers should it prove necessary.

If you require support in reviewing the legal basis for transfers of personal data to the USA, considering whether and how to deploy the Trans-Atlantic EU-US Data Privacy Framework, negotiating and/or amending data transfer agreements, updating transfer risk assessments / transfer impact assessments or drafting standard contractual clauses and supplementary measures, please don’t hesitate to contact us.