On July 10, 2023, the European Commission adopted the Adequacy Decision for the EU-U.S. Data Privacy Framework. This decision asserts that the United States ensures an adequate level of protection, comparable to that of the EU, regarding personal data transferred from the EU to U.S. companies participating in the EU-U.S. Data Privacy Framework.

Article 45(3) of the General Data Protection Regulation (GDPR) grants the Commission the authority to decide, via an implementing act, that a non-EU country ensures an “adequate level of protection” — a level equivalent to that within the EU. Adequacy decisions facilitate the free flow of personal data from the EU to a third country without additional obstacles.

The protection under the EU-U.S. Data Privacy Framework applies to all personal data transferred from the European Union to organizations in the U.S. that have certified their adherence to the Principles with the U.S. Department of Commerce (DoC). However, data collected for journalistic material cannot be transferred based on the EU-U.S. Data Privacy Framework.

To be eligible for certification under the EU-U.S. Data Privacy Framework, an organization must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT).

Certified organizations commit to the ‘EU-U.S. Data Privacy Framework Principles,’ including the Supplemental Principles, issued by the U.S. Department of Commerce (DoC). Certification involves publicly declaring compliance with the Principles, making privacy policies available, and fully implementing them.

The EU-U.S. Data Privacy Framework introduces binding safeguards to address concerns raised by the European Court of Justice. It limits access to EU data by US intelligence services, establishes a Data Protection Review Court (DPRC), and introduces improvements compared to the previous Privacy Shield mechanism. For example, the DPRC can order the deletion of data found to be collected in violation of safeguards.

The adequacy decision allows for the free and safe flow of personal data between the parties, based on binding safeguards, a two-tier redress system, strong obligations for companies, and specific monitoring and review mechanisms.

You can find more information on the EC website and the U.S. Department of Commence | Data Privacy Framework Program.

Roxana Darie, MBL

Managing Director / Legal Affairs EU