In a decision with significant implications for international trade and cross-border data flows, the EU’s highest court, the Court of Justice of the European Union, ruled on July 16, 2020, that the EU-U.S. Privacy Shield program, a key legal mechanism used to enable transfers of personal data from the European Union, was invalid, while also potentially requiring additional protections to be implemented when other key transfer mechanisms, called Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), are used.
Subsequent guidance published by the European Data Protection Board confirmed that data exporters in the EU and data importers outside the EU have an obligation to assess whether third countries outside the EU, that they are transferring personal data to, have a level of data protection essentially equivalent to that guaranteed within the EU by the General Data Protection Regulation (known as a transfer impact assessment or TIA). Where the TIA, taking into account the relevant laws of the third country and the circumstances of the transfers, shows that there is no such level of essentially equivalent protection, then supplementary measures (a combination of organizational, contractual, and technical) to provide such level of protection should be put in place.
On October 7, 2022, President Biden introduced an Executive Order to facilitate a new Trans-Atlantic Data Privacy Framework (DPF) and on July 20, 2023, the European Commission adopted its Final Implementing Decision granting the U.S. adequacy with respect to companies that subscribe to the DPF. Entities relying on SCCs or BCRs for transfers to the U.S. are able to rely on the analysis in the “adequacy” decision as support for their TIAs required by the Schrems II decision regarding the equivalence of U.S. national security safeguards and redress. Further, on September 21, 2023, regulations were laid in the UK Parliament to give effect to the UK Extension to the DPF – otherwise known as the “UK-U.S. Data Bridge.” The regulations, due to take effect on October 12, 2023, will enable companies in the UK to lawfully transfer personal data to participating organizations in the U.S. without the need to implement additional safeguards or carry out TIAs.
This page provides a variety of substantive resources contributed by our lawyers to keep you informed as to how this decision and subsequent guidance and developments will impact the future of international data flows and the business landscape.