The New EU-US Data Privacy Framework comes into effect – does it apply in the UK?

On 10 July the EU announced its long-awaited adequacy decision for personal data flows to the US based on the new EU-US Data Privacy Framework (DPF)[1]. While this seems a major step forward for data flows from the EU to the US, not all EU businesses will be rushing to tear up their current data export procedures just yet and UK data exporters will have to hold fire pending agreement of an equivalent UK-US “data bridge”.

Why was the DPF required?

As we previously reported (see here), in the case known as Schrems II, the Court of Justice of the European Union (Court) invalidated the US Privacy Shield framework which had enabled the flow of personal data from the EU to the US. In Schrems II, the Court had significant concerns about the powers of access that US law enforcement and security agencies have with respect to personal data and the lack of meaningful legal redress for EU data subjects.  The Executive Order 14086 signed by President Biden in October 2022 introduced new safeguards for US intelligence activities to address the concerns raised by the Court and opened the way for the DPF to be agreed.

As a result of Schrems II, businesses in the EU and the UK wishing to export personal data to the US have been required to implement alternative transfer mechanisms, principally the Standard Contractual Clauses (SCCs). Data exporters must also undertake due diligence on the laws of the country to which personal data is being exported by conducting transfer impact assessments (or “transfer risk assessments” as they are known in the UK) (TIA) and considering whether supplementary measures (such as specific encryption technologies) are required to protect the rights of the data subject.

This can be very time-consuming and costly for data exporters, especially SMEs. Whilst some US data importers have taken measures to help exporters navigate the requirements, many exporters have had to make difficult business choices whether to export data to the US.

How does DPF differ from Privacy Shield and is this safe from challenge?

Privacy Shield, managed by the US Department of Commerce (DOC), pre-dated GDPR and was a self-certification scheme whereby US data importers had to prepare certain policies and documentation and self-certify that they were compliant with certain privacy principles. Some US data importers maintained their Privacy Shield even though it no longer provided adequacy status for the EU. The DOC has confirmed that DPF remains a self-certification process and that it builds on the Privacy Shield with additional requirements to meet the concerns raised in Schrems II and updates to reflect GDPR.

It comes as no surprise that Max Schrems has already announced that DPF will be challenged.

When will DPF come into effect and how can registration status be checked?

The DOC launched the DPF Program on 17 July 2023. Existing participants under the Privacy Shield now have a 3 month grace period (until 17 October 2023) within which to update their privacy policy and documentation to reflect the new requirements. There is no requirement for existing participants to re-certify under DPF but data importers which were not previously certified under Privacy Shield must now submit applications under DPF. DPF certification must be renewed annually. Data exporters can check a data importer’s registration status on the DPF Website.  We anticipate that there will be some delays while the DOC handles the volume of new applications.

Are Transfer Impact Assessments and supplementary measures still required?

Where an EU data exporter is dealing with a US data importer covered by DPF, it seems likely that data exporter TIAs will now refer to data importer DPF status to avoid requirements for supplementary measures. Data exporters will need to monitor their data importers’ DPF status and be prepared to review TIAs and implement supplementary measures if DPF status is not maintained. Also, DPF not will apply in all circumstances (see below).

Do SCCs and Binding Corporate Rules still have a place?

Where a US data importer is not registered under the DPF, EU data exporters will still need to undertake a TIA and ensure that a transfer tool, such as SCCs or Binding Corporate Rules, along with supplementary measures where appropriate, are in place. Certain categories of data transfers are outside of the scope of DPF including financial services and not-for-profit. A data exporter may in any case, and particularly given the threat of further challenge, decide it is prudent to maintain their SCCs to avoid any future risk of interruption to their ongoing data flows.

In this context, Executive Order 14086 is still helpful as the EU Commission has confirmed that all the safeguards that the Commission has agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.

Can UK data exporters take advantage of DPF?

Whilst UK data exporters were able to take advantage of Privacy Shield, now that the UK has left the EU, UK data exporters cannot rely on DPF in relation to the exports of UK personal data.

While UK GDPR is based on the same principles as EU GDPR, it is a separate piece of UK legislation. It is for the UK government alone to determine which countries are adequate and UK data exporters cannot rely on the EU adequacy decision in relation to the transfer of personal data of UK citizens to the US. See here for the list of adequate countries under UK GDPR.

The indications are that the US and UK governments are actively working to agree an arrangement, the so-called “data bridge”, to enable UK data exports to the US later this year. Whilst the terms of that data bridge continue to be negotiated, UK data exporters should continue to follow the UK GDPR’s requirements to undertake a UK GDPR transfer risk assessment and rely on UK SCCs or the ICO’s International Data Transfer Agreement to ensure that the export of UK data remains compliant with UK GDPR. UK data exporters using UK SCCs may gain some comfort from the EU Commission’s confirmation of Executive Order 14086 as the requirement for TIAs (derived from the Schrems II decision) occurred when the UK was in the Brexit transition period and still subject to EU data protection law.

Please see here for our guidance on the UK GDPR data export requirements.

What about UK businesses operating also in the EU?

UK businesses which also have business operations in the EU may wish to consider relying on DPF in relation to the export of EU personal data, but this will require them to identify the data sets for each of the UK and the EU individually and to undertake separate assessments of the risks and requirements for each data set according to the requirements of each of the UK and EU. Depending on the volumes and types of personal data being exported from each of the UK and EU, this could be an involved and complicated process.

In light of the risk of challenges to DPF, the anticipated UK-US data bridge as well as the potential for more flexibility on adequacy under the UK Government’s proposed Data Protection and Digital Information Bill currently working its way through Parliament, UK businesses with EU business operations may decide it is prudent to retain the “tried and tested” tools for both UK and EU data transfers for the present time.

Michelmores Data Protection & Privacy team will be happy to assist you navigating the complexities of international data transfers under UK GDPR.

[1] COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework