On 10 July 2023 the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework.
The adequacy decision follows the US' signature of an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities', which introduced new binding safeguards to address the points raised by Court of Justice of the European Union in its Schrems II decision of July 2020. Notably, the new obligations were geared to ensure that data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate, and to establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes. The Decision was adopted following extensive consultations between the Commission and the United States, as well as a relevant Opinion from the European Data Protection Board.
As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland and Liechtenstein, to a third country, without being subject to any further conditions or authorisations. In other words, transfers to the third country can be handled in the same way as intra-EU transmissions of data. Under the new data protection framework, data transfers to the United States can be carried out from EU countries to US companies without requiring any additional transfer safeguards or supplementary measures. According to the Commission's announcement, provisions are made to limit access by US authorities to European citizens' data only when necessary and proportionate for the protection of national security. Enhanced oversight of the activities of US intelligence services is also provided. Finally, the establishment of a Data Protection Control Court, which will investigate and resolve complaints by Union citizens regarding the access of US national security authorities to their data, is deemed significant. However, US companies will be able to join this framework after committing to comply with a detailed set of obligations for privacy protection.
The adequacy decision on the EU-U.S. Data Privacy Framework covers data transfers from any public or private entity in the EEA to US companies participating in the EU-U.S. Data Privacy Framework.
This new framework constitutes the third adequacy decision by the European Commission regarding data transfers to the United States. Since July 26, 2000, data transfers to the US were covered by the European Commission's Safe Harbor Decision, which was invalidated by the Court of Justice of the European Union (CJEU) on October 6, 2015, following a complaint by Max Schrems. Subsequently, on July 12, 2016, the European Commission's Privacy Shield Decision came into effect but was also invalidated by the CJEU on July 16, 2020, following a new complaint by Max Schrems.
The new framework will be subject to periodic reviews by the European Commission in collaboration with representatives of the Data Protection Authorities of the Union. The first review is expected to take place within one year from the start of the adequacy decision's validity.
For more information please visit our website microsite on Data Protection & Cyber Law or send your queries at This email address is being protected from spambots. You need JavaScript enabled to view it.
Back to News
