Share

27 Jul 2023

EU Commission Adopts Adequacy Decision for EU-US Data Transfers

briefing

Financial Regulation

Download PDF here

For further information on any of the issues discussed in this publication please contact the related contact(s) on this page.


Introduction

Under the GDPR, data controllers and data processors are only permitted to transfer personal data outside of the EEA in accordance with one of the safeguards under Chapter V of the GDPR. This is in order to ensure that the level of protection afforded to personal data in the EEA is not undermined by the transfer of personal data to third countries.

One of the safeguards which can be relied upon in order to legitimise the transfer of personal data outside of the EEA is where the data protection laws of the relevant third country have been deemed by the European Commission to ensure an adequate level of protection under an adequacy decision published under Article 45(3) of the GDPR.

Background

In July 2020, the Court of Justice of the European Union (CJEU) held in the Schrems II ruling[1]that the EU-US Privacy Shield, which had been one of the mechanisms used by EEA organisations to transfer personal data to the U.S, was invalid on the basis that it did not provide adequate protection to deal with the far-reaching surveillance of EU personal data by US intelligence agencies.

In October 2022, the US Government announced that it had signed an executive order to implement the U.S. commitments made under the new EU-U.S. Data Privacy Framework announced by the EU and the U.S. in March 2022 (Framework).

This Framework introduced new binding safeguards intended to address all of the concerns raised by the CJEU in the Schrems II ruling, including limiting access to EU data by US intelligence services to what is both necessary and proportionate, and the establishment of a “Data Protection Review Court” to which EU individuals will have access.

Announcement of European Commission Adequacy Decision

On 10 July 2023, the European Commission announced that it had adopted an adequacy decision on the Framework, concluding that it provides an adequate level of protection for personal data transferred from the EU to US companies participating in the Framework (Adequacy Decision).

The Adequacy Decision enters into effect immediately with the functioning of the Framework being subject to periodic reviews carried out by the European Commission. The first review will take place within one year of its entering into force in order to verify whether the relevant elements of the Framework are functioning in practice.

It is worth noting that noyb released a statement on the same day announcing that it will challenge the legitimacy of the Framework with Max Schrems noting that they expect this “to be back at the Court of Justice by the beginning of next year”.

Implications of Adequacy Decision for Data Flows Between the EU and the US

The Adequacy Decision will enable the free flow of personal data of EU subjects from EEA data controllers or EEA data processors to entities participating in the Framework without having to put in place additional safeguards. Those U.S. organisations participating in the Framework must commit to comply with a detailed set of privacy obligations and must appear on the “Data Privacy Framework List”[2].

However, those EU data controllers and EU data processors which transfer personal data of EU subjects to U.S. organisations not participating in the Framework must continue to ensure that another appropriate safeguard has been implemented in order to legitimise such transfers under Chapter V of the GDPR. This includes for example putting in place standard contractual clauses or binding corporate rules with the relevant U.S. organization, having first assessed the effectiveness of the transfer tool chosen. In an information note published by the European Data Protection Board following the publication of the Adequacy Decision, it notes that any such assessment should take into account the assessment conducted by the European Commission in the Adequacy Decision.

If you have any queries in relation to the Adequacy Decision and potential implications on EU-U.S. data flows, please contact any of the authors or your usual contact in Dillon Eustace.



Footnotes:

[1] Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems

[2] Accessible from Participant Search (dataprivacyframework.gov)

DISCLAIMER: This document is for information purposes only and does not purport to represent legal advice. If you have any queries or would like further information relating to any of the above matters, please refer to the contacts above or your usual contact in Dillon Eustace.


Copyright Notice: © 2024 Dillon Eustace LLP. All rights reserved.

Key Contacts