New GDPR Adequacy Decision for the EU-US Data Privacy Framework

According to the General Data Protection Act (GDPR), transfer of personal data to a country outside the EU can only take place where the recipient country ensures an adequate level of protection for the rights of EU data subjects.

Until recently, the European Commission had deemed the United States to have inadequate data privacy and security protections and required businesses to find legal mechanisms to allow for such cross border transfer of data. That has now changed. On July 10, 2023, the European Commission formally adopted a new adequacy decision on the EU-U.S. Data Privacy Framework. The adoption of this adequacy decision follows years of intense negotiations between the EU and the U.S., after the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield that had earlier been in place.

According to the new European Commission decision, the United States now ensures an adequate level of protection―comparable to that of the European Union―for personal data transferred from the EU to U.S. companies under the new framework. This long-awaited decision provides both EU companies and U.S businesses that transfer personal data of EU residents to the U.S. with an additional mechanism to legitimize their transatlantic data transfers.

The adequacy decision allows businesses that adhere to the EU-U.S. Data Privacy Framework and commit to a set of privacy obligations to receive EU personal data without having to put in place additional transfer safeguards. According to the European Commission, the EU-U.S. Data Privacy Framework addresses all concerns raised by the CJEU, including access to EU data by U.S. intelligence services. Improved redress mechanisms are provided if personal data is handled in a manner that does not comply with the EU-U.S. Data Privacy Framework. The EU has created a new Data Protection Review Court to handle complaints.

The EU-U.S. Data Privacy Framework will be subject to periodic reviews by the European Commission and representatives of European data protection authorities and competent U.S. authorities. The consumer group NOYB has already threatened to challenge this decision. by NOYB.

In the meantime, businesses should not abandon their current measures. While this new adequacy decision provides businesses a new legal mechanism to consider when transferring personal data of EU residents to a server located in the USA, based on prior experience this new- found protection may not last.