Insight
Understanding the Data (Use and Access) Bill: What businesses need to know
Discover the key changes introduced by the Data (Use and Access) Bill and how organisations must adapt to meet compliance requirements.
Read moreInsight
The EU announced on 10 July 2023, that the personal data protections in the US are considered adequate and comparable to those in the EU, subject to certain conditions.
Adequacy refers to countries, territories, sectors, or international organisations that provide a level of protection to personal data that is essentially equivalent to the safeguards offered by the EU.
When a state has an adequacy decision, personal data can be freely transferred to and from that location and the EU without the need for additional safeguards, such as adopting EU Contractual Clauses (SCCs), the Addendum to the SCCs, and Data Transfer Impact Assessments.
For more detailed information on data adequacy and additional safeguards, please refer to our article titled “The new international data transfer laws”.
With this new adequacy decision, EU-based businesses will be able to transfer personal data to the US without restrictions, provided that the recipient company is a member of the Data Privacy Framework (DPF). Companies are enrolled in the DPF if they commit to and comply with specific privacy obligations. However, certain entities such as banks, insurers, and telecommunications companies cannot join the DPF, necessitating the use of additional safeguards.
This decision marks a significant development in data sharing between the EU and the US, which has faced challenges since the abolition of the Data Privacy Shield. Recently, Ireland’s Data Protection Commission imposed a €1.2b fine on Meta for transferring Facebook users’ data to the US. More information on this can be found in our article titled “Meta given €1.2b fine for breach of the GDPR.”
The adequacy decision is already in effect, enabling EU companies to transfer personal data to DPF-registered and certified US companies. However, Austrian activist Max Schrems is expected to challenge the decision.
Schrems previously brought the Schrems II case before the Court of Justice of the European Union, leading to increased protections for data transfers to countries without adequacy decisions. He argues that the DPF does not offer significantly different or enhanced protections compared to the previous Privacy Shield. Schrems specifically highlights concerns about US surveillance powers over non-US nationals under section 702 of the US Foreign Intelligence Surveillance Act.
Currently, UK businesses cannot rely on this adequacy decision. However, as mentioned in our article titled “UPDATE: The UK & US commit to the free flow of personal data between the two countries | Flint Bishop,” the UK is likely to establish an agreement in the near future to facilitate the free flow of data with the US.
Contact Us
If your company has operations based in the EU and you transfer data to the US, or if you would like any other data protection advice, please contact Haroon Younis, Partner & Head of Commercial, on 01332 226 466 or fill in the form below.
Related Services
Knowledge