eu-us data privacy framework

The new framework provides an additional route for personal data transfers from the EEA to the US.

By Robert Blamires, Gail E. Crawford, James Lloyd, Clayton Northouse, Alice Brunning, Alexander Ford-Cox, and Jennifer Howes

On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new EU-US Data Privacy Framework (DPF) for transfers of data from the European Economic Area (EEA) to the US. The EC adopted an adequacy decision following the fulfilment by the US of its implementation commitments under the DPF. The adequacy decision enables organisations to transfer personal data from the EEA to organisations in the US that have self-certified under the DPF with immediate effect. As of 10 July 2023, organisations that were certified under the EU-US Privacy Shield (Privacy Shield) are now certified under the DPF and can begin receiving data from the EEA via the DPF.

By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1]

The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May 2023 (IDPC Decision).[3]

The IDPC found that the Transfers, made pursuant to Standard Contractual Clauses (SCCs), did not comply with Article 46(1) GDPR, as the SCCs together with the supplementary measures implemented “do not compensate for the deficiencies in US law in issue”. The IDPC also found that the Transfers could not be made pursuant to any of the derogations under Article 49(1) GDPR. In particular, the IDPC concluded that the “contractual necessity” derogation could not be relied on by Meta Ireland “to justify the systematic, bulk, repetitive and ongoing transfers to the US”.

In light of these conclusions, the IDPC made an order suspending the Transfers (the Suspension Order).