The European Union recently announced an adequacy decision in respect of the US: Adequacy decision for safe EU-US data flows (europa.eu). The EU-US Data Privacy Framework (DPF) introduces safeguards, as required by the European Commission, such as limiting the US intelligence services’ ability to access EU personal data and a Data Protection Review Court to allow EU individuals to access an independent and impartial redress mechanism. The DPF is administered by the US Department of Commerce.
A US company can self-certify their compliance and commitment with the DPF. However, to rely on the DPF, a US company must not only self-certify but also be placed on, and remain on, the Data Privacy Framework List. Although self-certification is voluntary, once a company has made a public commitment, any non-compliance is enforceable under US law. Participating companies must re-certify annually.
If a US company has self-certified and is on the Data Privacy Framework List, then personal data from the EU can be transferred to those companies. Alex Zachary, corporate and commercial practice group leader, advises on the Data Privacy Framework’s UK extension.
UK Extension
The US Department of Commerce have agreed to extend the DPF, and all the protections under it, to personal data transferred from the UK to the US companies on the Data Privacy Framework List. The UK Government have therefore announced the ‘UK Extension’ and the Regulations (The Data Protection (Adequacy)(United States of America) Regulations 2023) come into force on 12 October 2023.
A US company that self-certificates under the DPF has the option of also electing to be certified under the UK Extension. As with transfer of personal data from the EU, if a US company is on the Data Privacy Framework List and has elected to be certified under the UK Extension, personal data can be transferred from the UK.
Any company in the UK wanting to take advantage of the UK Extension to the EU-US DPF needs to update its privacy notices to ensure they are transparent and inform all individuals whose data they process about these transfers.
You can search to see if a US company is on the list (and has elected to be certified under the UK Extension), here: Participant Search (dataprivacyframework.gov).
Challenges to the DPF
This is the third time the EU and US have tried to agree a mechanism for the flow of person data (previous revisions include the Safe Harbour Agreement and the EU-US Privacy Shield). Both the Safe Harbour Agreement and the Privacy Shield were struck down due to legal challenges (Schrems and Schrems II) and the new DPF also faces such a challenge.
Philippe Latombe, a member of the French Parliament, has already filed two challenges (one to suspend the DPR immediately and one around the content of the agreement itself). It therefore remains to be seen whether the new EU-US DPF will be struck down by the Court of Justice of the European Union and if it is, what this will be mean for the UK Extension.
The team at B P Collins are very experienced in advising on data protection rules and how they affect UK businesses. For help on data protection, including advice on relying on the UK Extension to the EU-US DPF or updating your privacy notice, or other business matters, please contact Alex Zachary at alex.zachary@bpcollins.co.uk, or call 01753 889995.