EU-US Data Privacy Framework adopted on 10 July

The revised EU-US Data Privacy Framework was adopted on 10 July after lengthy negotiations. In principle, it will be helpful to companies, although they may well continue with Standard Contractual Clauses and other legal bases for their data transfers.

The EU’s official announcement states:

“The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.”

While, in principle, this step is helpful to companies transferring personal data from the EU to the US, the PL&B Conference session on the framework, on 3 July, has enabled the careful observer to note certain reservations in this text.

  1. It is a very narrow agreement, as it applies only to transfers of personal data to “US companies participating in the Framework.”
  2. This Framework refers to the Privacy Shield programme organised by the International Trade Administration of the US Department of Commerce. But at the time of writing, the list of companies participating in the programme is blank. So it is not possible to know which companies are in the program. In addition, of course, many transfers are not to companies so will not come within this framework.
  3. This agreement is very narrow compared with most previous EU “adequacy” decisions and does not claim to cover data transfers to public sector entities or companies not on the Privacy Shield list.
  4. This framework is an improvement on the previous one, as the parties have taken care to respect the decisions of the Court of Justice of the European Union (CJEU). However, it is highly likely that there will be another Schrems case before the CJEU.

The European Data Protection Board will give its Opinion in due course.

The UK government will expect to reach a similar agreement with the US.

There will be an article on this subject in the August edition of Privacy Laws & Business International Report.