The European Commission last week validated the new EU-US Data Privacy Framework (DPF), declaring it a secure mechanism for EU-US data transfers.
To benefit from the DPF covering personal data transfers, US organisations are required to register and self-certify their compliance with data protection standards. The DPF replaces the EU-US Privacy Shield which was invalidated three years ago by the European Court decision in Schrems II, and which left businesses having to implement standard contractual clauses and additional measures to achieve compliant transfer over the last few years.
Following Brexit, data transfers from the UK to the US cannot directly rely on the use of the DPF. A few weeks ago, the UK and US agreed to create a ‘data bridge’—a way to legally share data between organisations in both countries. The data bridge is expected to extend and rely on the newly approved DPF, with the aim of easing personal data transfer between the UK and US without sacrificing personal data protection. As a result, transferring data to the US should become simpler and more compliant.
The data bridge is not yet in effect but has the potential to streamline data transfers to the US for over 50,000 UK organisations, potentially saving them over £90 million annually according to government estimates. It remains unclear how the data bridge and the DPF will co-exist and interact, and guidance from the UK’s Information Commissioner’s Office (ICO) is awaited.
However, despite this recent progress the position on international data transfer may not be secure for long. Legal activist Max Schrems has already stated that he will challenge the DPF’s validity. As a result, the newly approved solutions to streamline data flows with the US could be disrupted once again in the coming years.
The Commercial team at Square One Law will continue to provide updates on the latest developments.