EU - US data transfer will be possible

This is the long-awaited decision that finally replaces the EU-US so-called “Privacy Shield”, which you may remember was invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems II case back in 2020, where it was argued that “Privacy Shield” data transfers were merely an update to the previous system and remained unlawful.

An “adequacy decision” under the EU General Data Protection Regulation (“GDPR”) approving transfers of personal data to organisations located in the United States from those based in the EU has been reached by The European Commission (“EC”) in July 2023. The adequacy decision is also likely to be challenged in the CJEU but before that happens, this decision reduces risk as any data transfers will be certified under the US/EU Trans-Atlantic Data Privacy Framework (“DPF”).

Thanks in part to cloud technology, a surprising amount of organisations are impacted by trans-atlantic data flows, so this news has been widely welcomed. 

New safeguards are introduced by the DPF for personal data being transferred to the US from the EU, following the US signing an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities' which essentially ensures that “data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate, and to establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.”

US organisations are able to easily join the DPF, and where organisations previously transferred data using the Privacy Shield, those companies should be able to move across to the DPF easily. Self-certification is required to ensure that compliance with privacy obligations is observed, including ensuring that privacy policies are suitable and there is a ‘recourse mechanism’ for complaints, and must be repeated annually.

Any EU organisations who require data to be exported to the US can easily check whether the recipient organisation has the benefit of the DPF, which will cover the transfer.

Of course, as the UK is now a third country as far as GDPR is concerned, the UK is not covered by the US-EU adequacy decision, however there is a self-certified option to apply for a UK extension for data flowing from the EU to the US. Data that requires transfer from the UK to the US is still not covered and will require a comparable adequacy decision.

Posted on 09/06/2023 by Ortolan

Get in Touch

If you would like to know more about Ortolan Legal and how we can help you reduce your ongoing recruitment costs, get in touch!

Email us now

   Or call 020 3743 0600

I have worked with Ortolan Legal since 2010 and used their services extensively. They have provided corporate and commercial legal advice and we have also drawn on their capability in the areas of employment law, dispute resolution and property law. What makes them so different is their ability consistently to deliver commercially focussed and high quality advice at a price point which simply cannot be matched by other law firms. They aim to strip out unnecessary overhead costs, concentrate on the quality of their core service and pass on these cost savings to their clients. It works.

Charlie Blackburn, Entrepreneur and co-founder of Brighttalk
See All
Receive news & updates from Ortolan Legal

Meet the Team

  • Nick Benson Nick Benson I qualified as a commercial and corporate solicitor…
  • Liz Delgado Liz Delgado I qualified as a solicitor in 1995 after studying…
  • Carrie Beaumont Carrie Beaumont I qualified as an Employment specialist in 2008. I…