The Trans-Atlantic Data Privacy Framework
The Trans-Atlantic Data Privacy Framework
Overview
In October 2022, the White House issued an executive order about the much-anticipated EU-US Data Privacy Framework (DPF). Together with the Department of Justice, the executive order made the agreement in principle announced between the EU and the US & law. The DPF seeks to address two key shortfalls of the Privacy Shield framework.
Firstly, the absence of necessity and proportionality limits on the US surveillance programs and, secondly, insufficient judicial redress rights for individuals to challenge the US surveillance they consider to be unlawful.
Under the DPF, US intelligence programs will now be curtailed to what is necessary and proportionate. The personal data of European data subjects will no longer be subject to unrestrained, bulk surveillance.
Moreover, a two-layer redress mechanism will be introduced enabling data subjects to challenge unlawful surveillance by US intelligence services.
These were also the key considerations cited by the Court of Justice of the European Union (CJEU) in the ‘Schrems II’ decision as reasons for invalidating the Privacy Shield. In the light of this, the DPF is expected to withstand another challenge.
Following the signing of the executive order, in December 2022, the European Commission published a draft adequacy decision for safe data flows with the US. The draft adequacy decision will now go through its adoption procedure, after which the European Commission can adopt the final adequacy decision. This is expected to take around six months.
As part of this process, in January 2023, the EDPB published an agenda for the 74th plenary meeting where the European Commissioner would present the draft adequacy decision on the DPF, followed by the EDPB’s opinion on the same.
However, there is another potential challenge already looming over the yet-to-be adopted final adequacy decision.
Why is this significant and what does it mean for me?
Until the EU declares the US as adequate, these developments will not affect the existing data flows between the EU and the US, which should continue as before.
Following Brexit, the above will not have any direct effect on the UK-US data flows. However, if the European Commission issues the adequacy decision, it is likely that the UK will follow suit and declare the US as ‘adequate.’ If this happens, it will mean free data flows between the UK and the US entities as well. It is important that UK-based organisations with an exposure to data transfer to the US monitor the outcome.
Until then, organisations in the UK must rely on the ICO-approved transfer tools in combination with a recently released Transfer Risk Assessment (TRA) tool which is discussed in more detail in our next article.
If you have any queries or would like further information, please visit our data protection services section or Christopher Beveridge.