On July 10, 2023, the European Commission voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF). In particular, the adequacy decision concludes that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organizations in the US. Specifically, the adequacy decision has the effect that personal data transfers from controllers and processors in the EU to certified organizations in the US may take place without the need to obtain any further authorization.

Principles

The adequacy decision provides that the EU-US DPF Principles apply immediately on certification, but reminds that organizations are required to re-certify their adherence to the Principles on an annual basis. Likewise, the adequacy decision outlines that to ensure an adequate level of data protection in practice, an independent supervisory authority tasked with powers to monitor and enforce compliance with data protection rules should be in place. Specifically, organizations must be subject to the jurisdiction of the competent US authorities, the Federal Trade Commission (FTC) and the Department of Trade (DoT), which have the necessary investigatory and enforcement powers to ensure compliance with the principles.

Redress

The adequacy decision stipulates the new binding safeguards to address concerns raised by the European Court of Justice. This includes limits to ensure that US signal intelligence activities are necessary and proportionate in the pursuit of defined national security objectives. Further, the establishment of the Data Protection Review Court (DPRC) allows individuals in the EU to submit a complaint regarding the alleged violation of their privacy and civil liberties. Where necessary, the DPRC may order relevant intelligence agencies to take remedial actions, including deleting data, terminating acquisition, and a change in collection practices. Organizations that are found to persistently fail to comply with the principles will be removed from the EU-US DPF list and must return or delete the personal data received under the EU-US DPF.

You can read the press release here, the adequacy decision here, and a set of questions and answers here.

Update: September 21, 2023

Adequacy decision published in Official Journal

The EU-US DPF adequacy decision was published, on September 20, 2023, in the Official Journal of the European Union.

You can read the Official Journal here.