This is the long-awaited decision that finally replaces the EU-US so-called “Privacy Shield”, which you may remember was invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems II case back in 2020, where it was argued that “Privacy Shield” data transfers were merely an update to the previous system and remained unlawful.

An “adequacy decision” under the EU General Data Protection Regulation (“GDPR”) approving transfers of personal data to organisations located in the United States from those based in the EU has been reached by The European Commission (“EC”) in July 2023. The adequacy decision is also likely to be challenged in the CJEU but before that happens, this decision reduces risk as any data transfers will be certified under the US/EU Trans-Atlantic Data Privacy Framework (“DPF”).

Thanks in part to cloud technology, a surprising amount of organisations are impacted by trans-atlantic data flows, so this news has been widely welcomed. 

New safeguards are introduced by the DPF for personal data being transferred to the US from the EU, following the US signing an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities' which essentially ensures that “data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate, and to establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.”

US organisations are able to easily join the DPF, and where organisations previously transferred data using the Privacy Shield, those companies should be able to move across to the DPF easily. Self-certification is required to ensure that compliance with privacy obligations is observed, including ensuring that privacy policies are suitable and there is a ‘recourse mechanism’ for complaints, and must be repeated annually.

Any EU organisations who require data to be exported to the US can easily check whether the recipient organisation has the benefit of the DPF, which will cover the transfer.

Of course, as the UK is now a third country as far as GDPR is concerned, the UK is not covered by the US-EU adequacy decision, however there is a self-certified option to apply for a UK extension for data flowing from the EU to the US. Data that requires transfer from the UK to the US is still not covered and will require a comparable adequacy decision.