The European Commission (the EC) has adopted an adequacy decision on the EU-US Data Privacy Framework. 

The EU-US Data Privacy Framework is the legal mechanism that will now enable the otherwise restricted transfers of personal data from the EU to the US, replacing the defunct predecessor, the EU-US Privacy Shield. 

What is the EU-US data privacy framework, and why is it needed?

Previously, data was shared between the EU and the US under the EU-US Privacy Shield.

However, the landmark ruling achieved by data activist Maximillian Schrems rendered the mechanism defunct in 2020, rendering the transfers of personal data from the EU to the US restricted (and therefore prohibited) unless alternative measures were implemented (see below).

Further information on the Schrems case can be found in our article.

Under the EU GDPR, transfers of EU citizen's personal data out of the EU are restricted unless:

  • An adequacy decision has been made by the EC for the country or organisation receiving the personal data. An adequacy decision is a decision made by the EC that the country or organisation ensures a level of protection to personal data equivalent to that afforded under the EU GDPR; or
  • Appropriate safeguards are implemented between the sender and the recipient to ensure that the personal data is afforded a commensurate level of protection as is afforded by the EU GDPR. Appropriate safeguards primarily take the form of standard contractual clauses (SCCs) or binding corporate rules (BCRs) and are effectively contractual terms between two entities committing to the protection of personal data; or
  • An exemption applies. The EU-US Privacy Framework, therefore, allows personal data to flow freely from the EU to US companies certified under the EU-US Privacy Framework without the need to put appropriate safeguards in place or rely on an exemption. 

Therefore, US organisations can apply to the US Department of Commerce for certification, and once certified, EU organisations can allow the transfer of personal data to flow freely. 

What about data transfers between the UK and the US?

The UK has not yet adopted an adequacy decision for the US. 

Until such time, transfers of personal data between the UK and the US remain restricted; therefore, measures approved per the UK GDPR should be put into place.

Further information on how to transfer personal data outside of the UK can be found in our article.

To view original article, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.