EU Commission adopted its adequacy decision for the EU-US Data Privacy Framework

On 10 July, 2023, the EU Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (the so-called EU-US DPF). The new adequacy decision enables EU companies to transfer personal data towards the US without breaching the GDPR and risking to be fined.

The DPF gives oxygen to EU companies eager to share their data across the Atlantic, after the invalidation of the former EU-US Privacy Shield and, consequently, leading to several fines for unlawful data transfers towards the US (see for example our news flash of 24 May 2023).

The EU-US Data DPF, constitutes an adequacy decision under article 45 GDPR from which US companies can benefit, should they agree to respect a series of principles laid down in the decision itself. Upon adherence to this principle (and registration with the US Department of Commerce, US companies shall be deemed to ensure an adequate level of protection for the processing of EU personal data in the US. The new Framework entered into force with its adoption on 10 July 2023.

While the EU-US DPF bears a clear resemblance to previous EU-US data transfers agreements, it also goes hand in hand with some changes in the US legislation, such as

• Executive Order 14086 of 7 October 2022 “enhancing safeguards for US Signals Intelligence activities” (EO 14086)
• Regulation on the Data Protection Review Court issued by the Attorney General (AG Regulation)
  
  

Those regulations modify the US regulatory landscape which lead to the outcome of the Schrems II case.
The DPF itself provides a list of general data protection principles in Annex I (similar to those under the GDPR). In order for those principles to be enforceable upon US Companies, a serie of commitments, oversight and enforcement mechanisms have been taken by the US Department of Commerce, the Federal Trade Commision and the Department of Transports (Annexes III to V),

As a result of the above, the Framework provides new guarantees for EU data subjects and EU companies, such as:

• Binding safeguards on necessity and proportionality requirements on access by US institutions;
• Enhanced oversight of activities by US intelligence services via effective means of redress such as the possibility of arbitration and a possibility to file a complaint.
• Independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.

The Framework will be subject to yearly reviews carried out by the European Commission to ensure all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice. The first review is on 10 July 2024.

Whether the new guarantees are strong enough to withstand a new Schrems III onslaught . However, we can hope that they will be enough to establish legal predictability for our EU companies, to work with the suppliers of their choice.

Feel free to contact our data protection lawyers Loïc Delanghe and Cedric Verheyen if you’d like to learn more about what opportunities this Framework may bring for your organisation. .