On Friday 7 October 2022, President Joe Biden signed an executive order to implement the new EU-US Data Privacy Framework announced in March. The framework aims to address concerns raised by the Court of Justice of the European Union (CJEU) in Schrems II, that led the CJEU to invalidate the EU’s adequacy decision for the EU-US Privacy Shield. Now that the executive order has been signed, the European Commission will prepare a new draft adequacy decision in relation to the US, and then launch its adoption procedure.

What does this mean for EU to US data flows?

This is a positive development for organisations transferring personal data from the EU to the US that, since Schrems II, have needed to use an alternative mechanism to the Privacy Shield, such as standard contractual clauses (SCCs), and also conduct data transfer impact assessments (DTIAs).

Once the European Commission has adopted the final adequacy decision, expected in March 2023, data will be able to flow freely from the EU to US companies that are certified under the new Privacy Shield framework, which will be called the EU-US Data Privacy Protection Framework.

Organisations not certified under the new framework will still need SCCs and DTIAs. However, as the EU has agreed with the US that the safeguards set out in the framework will be available for all transfers to the US, regardless of which transfer tool is used, conducting DTIAs for the US should be easier.

What about UK to US data flows?

Although the new EU-US Data Privacy Framework does not apply to transfers from the UK to the US, the UK and US governments did issue a joint statement (also on Friday 7 October) highlighting the progress made towards a US adequacy assessment by the UK and welcoming the release of the executive order. The UK intends to conclude its work on the new UK-US adequacy arrangement and lay the necessary regulations before Parliament in early 2023.

What now?

Until an adequacy decision is adopted by the EU Commission, for EU to US transfers, and adequacy regulations are passed by UK Parliament, for UK to US transfers, organisations will continue to need appropriate safeguards such as the new EU SCCs, for EU to US transfers, or the new UK , for UK to US transfers; and, in both cases, conduct DTIAs.

Importantly, any data transfer agreement relying on the old EU SCCs for transfers from the EU must be updated with the new EU SCCs by 27 December 2022. For further information, see our International Data Transfers – Standard Contractual Clauses toolkit.

What about transfers to countries other than the US?

The above developments only relate to the US, so data transfers to other countries will still need a safeguard such as the SCCs – except countries in the EEA, or which benefit from a UK/EU adequacy decision.