The European Commission has adopted its adequacy decision for the EU-US Data Privacy Framework. This means that it has been determined by the European Commission that the United States ensures an “adequate level of protection” for personal data transfers from the EU to US companies.
A key issue has been the limitations and safeguards regarding access to data by US intelligence agencies. The framework provides for binding safeguards that limit access to data by US intelligence agencies to what is “proportionate to protect national interest”. There is also a new redress mechanism, with binding authority, to handle and resolve complaints from EU data subjects.
US companies will need to certify under the new framework and we are expecting guidance soon from the US Department of Commerce.
What this will mean in practice is that those companies in the EU looking to transfer personal data to companies in the US will not need to execute the standard contractual clauses to effect a compliant international transfer, provided that the recipient US company is certified under the framework. At this stage, UK to US personal data transfer still require additional safeguards to be put in place, for example the SCCs with ICO addendum.
The European Commission has published a questions and answers document which you can find here.
The full press release is available to read here.
Guy Cartwright