On July 10, 2023, the European Commission formally adopted a new adequacy decision on the EU-U.S. Data Privacy Framework (the “Adequacy Decision”). The adoption of this Adequacy Decision follows years of intense negotiations between the EU and the U.S., after the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union (“CJEU”) in the Schrems II case.
According to the European Commission’s press release, the decision concludes that the United States ensures an adequate level of protection―comparable to that of the European Union―for personal data transferred from the EU to U.S. companies under the new framework.” The long-awaited Adequacy Decision provides EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transatlantic data transfers.
The Adequacy Decision allows self-certified companies that adhere to the EU-U.S. Data Privacy Framework and commit to a set of privacy obligations to receive EU personal data without having to put in place additional transfer safeguards. According to the European Commission, the EU-U.S. Data Privacy Framework addresses all concerns raised by the CJEU, including with respect to access to EU data by U.S. intelligence services. European citizens also are offered improved redress mechanisms if their personal data is handled in a manner that infringes on the EU-U.S. Data Privacy Framework, including through the newly created Data Protection Review Court. Companies currently self-certified under the EU-U.S. Privacy Shield Framework will have access to a simplified procedure for self-certification under the EU-U.S. Data Privacy Framework.
The EU-U.S. Data Privacy Framework will be subject to periodic reviews by the European Commission and representatives of European data protection authorities and competent U.S. authorities.
In a press conference given today, EU Justice Commissioner Reynders explained that “with the adoption of the Adequacy Decision, personal data can now flow freely and safely from the European Economic Area to the U.S. without any further conditions or authorizations.” On the possibility of a challenge against the Adequacy Decision, the EU Justice Commissioner stated that “[the Commission] is very confident to try to, not only implement such an agreement, but also to defend [it] in all procedures that [it will] have to face.”
More information about the EU-U.S. Data Privacy Framework and the self-certification process is expected to be posted on the U.S. Department of Commerce’s new Data Privacy Framework website.