bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

EU-US Data Privacy Framework

18 July 2023

In July 2023, the European Commission confirmed that it had adopted an adequacy decision in respect of the EU-US Data Privacy Framework. The decision states that the Commission considers that the data protection safeguards which the Framework provides, are comparable to those provided by EU law.

The Framework allows US companies to sign up to the Framework after self certifying that they comply with a number of detailed requirements designed to ensure the protection of personal data. Re-certification is required on an annual basis and the Framework provides a public database of certified companies which allows EU contracting parties to verify that their US counterparts are registered with the Framework.

Lynn Richmond
Lynn Richmond
Partner

Sounds familiar? It should. Organisations and individuals sending personal data abroad will no doubt be familiar with the legal twists and turns that international data transfers have taken over recent years. In 2020 the Privacy Shield framework was struck down after the Court of Justice of the EU issued its decision in Facebook Ireland and Schrems (C-311/18), holding that US law did not afford a level of protection of personal data which was similar to that enjoyed by EU citizens. Privacy Shield, like the Framework, was based on a self certification model. Following that decision, transfers of personal data could no longer be made from the EU to the US on the basis of Privacy Shield alone.

Instead, transfers had to be made by another mechanism approved by EU law, such as Standard Contractual Clauses or Binding Corporate Rules. However, transferors of data were also required to carry out due diligence to ensure that the US did, in fact, have adequate levels of protection for personal data. The effect of this was to place a significant burden on organisations to carry out that diligence. In practice, this often meant seeking US legal advice on the applicable state and federal law. A process that, if carried out properly, often resulted in significant investment of time and expense to the transferor. While the exercise was largely a risk based assessment, those transferors who undertook that diligence were subject to a significantly increased burden in terms of ensuring compliance with EU data protection law.

The Privacy Framework (like Privacy Shield) removes the need to carry out that due diligence, smoothing the way for data to be transferred more easily. However, the Privacy Framework is not without its critics. NYOB – The European Center for Digital Rights (founded by Max Schrems) has already indicated that it intends to challenge the Privacy Framework. Any challenge is likely to take some time before a ruling is made on the validity of Privacy Shield but the position may not yet be finally settled.

In the meantime, the UK continues to work on its “data bridge” with the US. While in the early stages, this will effectively be an extension of the Framework and allow data sharing between the UK and the US based on the same principles.

Lynn Richmond, Partner & Accredited Specialist in Intellectual Property: lyr@bto.co.uk / 0131 222 2939

Related Links

“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO

Glasgow

  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803

Edinburgh

  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949

Sectors

Services