European Commission Adopts Adequacy Decision for EU-US Data Privacy Framework — a Note of Caution

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework after concluding that it provides adequate protection for personal data transferred from the EU/EEA to US companies. However, there is more to the story, as it will likely return to the Court of Justice (CJEU) in only a few months.

The EU-US Adequacy Decision comes after a nail-biting wait, during which MEPs raised concerns that looked set to derail the agreement. But the EC confirmed their decision just days after the US Department of Justice and the US Office of the Director of National Intelligence announced the completion of commitments to the Framework under Biden’s executive order.

European Commissioner for Justice, Didier Reynders, said that “personal data can now flow freely and safely from the European Economic Area to the United States”.

However, Max Schrems, chair of the privacy organisation NOYB, is not convinced that the new deal provides the ‘robust’ safeguards missing from the Privacy Shield (from 2016) and the Safe Harbor (from 2000) before that.

So, is the EU-US adequacy decision set in stone? What are the next steps for the EU-US Data Privacy Framework, and what should US clinical trial sponsors do now?

What are the next steps for the EU-US Data Privacy Framework?

At this stage, the way forward needs clarification.

The EU-US Data Privacy Framework would usually be subject to periodic reviews by the European Commission and representatives of European data protection authorities and competent US authorities.

The first review would take place within a year of the entry into force of the adequacy decision to verify that all elements of the Data Privacy Framework have been fully implemented in US legislation and are functioning effectively in practice.

However, there is a possibility that the Framework will be subject to a legal challenge by NOYB before the year is out. NOYB has already indicated that it will appeal the Framework because it believes the US still needs to make substantial changes to its surveillance law.

Commissioner Reynders responded to NOYB’s statement during his press conference announcing the EU-US Privacy Framework, saying it should be tested before announcing a legal challenge.

Unphased by this, NOYB expects the first companies to implement the new Framework within the next few months, opening the door to legal challenges from people whose data is transferred under the new EU-US agreement. Promises and claims do not easily fool the Court of Justice of the European Union (CJEU), and once a challenge has been filed will want to satisfy itself that the correct legislation is in place to support them. The CJEU could suspend the new Framework agreement while reviewing the matter further.

Does the EU-US Data Privacy Framework apply to UK companies?

The EU-US adequacy decision affects personal data transferred from EU member states (plus Iceland, Liechtenstein and Norway) to companies and organisations within the US.

UK companies can continue using the International Data Transfer Agreement to transfer personal data to the US. However, the UK and the US have committed in principle to establishing a ‘data bridge’ for the UK extension to the EU-US Data Protection Framework (DPF) to allow for the free flow of data between the UK and participating organisations in the US.

The UK extension to the EU-US DPF has not yet been finalised, and thus, personal data cannot be received from the UK and Gibraltar under this Framework before it enters into force. We advise seeking the guidance of a data privacy consultant to safeguard your data subjects and ensure you continue to transfer personal data legally.

What should US pharmaceutical and biotech companies do as the road ahead is unclear for the EU-US adequacy decision?

Data protection and privacy legislation is there, first and foremost, to protect the privacy of data subjects. Thus, the smart decision at this time for US pharmaceutical research organisations is to continue to focus on conducting Transfer Impact Assessments (TIAs) and use GDPR compliance frameworks, such as Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs), until we know the EU-US adequacy decision is here to stay, the outcomes of any legal challenges known and the requirements for self-certification are made clear.

In the meantime, we advise businesses to seek guidance from a pharma data protection consultancy to ensure the legality of any current cross-border personal data transfers and to prepare them for changes under an EU-US adequacy agreement in the future, whatever shape that may take.

Pharma Data Protection is a group of data protection experts with a focus on your industry who consult, support, and work with international biopharmaceutical clients to handle sensitive personal data securely for clinical trials in the EEA or UK, including corporate-wide data processing activities across international borders.

Talk to us about your EEA/UK clinical trial and your data transfer requirements