European commission adopts adequacy decision for the EU – US data privacy framework

12 July, 2023


The Adequacy Decision 

On July 10, 2023, the European Commission adopted an adequacy decision for the US Data Privacy Framework (DPF), which would allow for transfers of personal data to entities in the US without the need for additional safeguards. The decision which came into effect on July 11, 2023 is expected to ease the compliance burden for companies operating in the US or working with service providers in the US.

Background 

The EU’s General Data Protection Regulation (GDPR) restricts the transfer of personal data to countries outside of the EEA, unless appropriate safeguards are implemented. Certain countries, including Israel, have been determined by the European Commission to offer an adequate level of protection that is equivalent to the protection provided in the EU. Personal data may be transferred freely to “adequate” countries without the need for additional safeguards. 

In the past, transfers to the US were permitted to organizations certified under the Privacy Shield Framework. However, the Privacy Shield Framework was invalidated in July 2020 by the “Schrems II” decision of the European Court of Justice.

Since that decision, transfers of personal data from the EU to the US are only permitted following an assessment of the risks presented by the transfer, including the applicability of relevant US laws, the signing of the approved form of Standard Contractual Clauses, and the implementation of additional technical security measures designed to safeguard the transferred data.

Implementation of these measures has presented a significant compliance burden for companies looking to transfer data to the US. 

EU – US Data Privacy Framework

The European Commission and the US have agreed on the Data Privacy Framework (DPF), which is intended to enhance the protection of data subject rights in the US.

To meet the DPF’s requirements, President Biden signed an Executive Order in 2022, which introduced additional safeguards of data subject’s rights regarding US intelligence activities and granted individuals the ability to seek independent review and redress regarding the collection and processing of their personal data.
 
The European Commission’s latest decision states that US organizations that comply with the DPF, and self-certify accordingly, can be considered to offer an adequate level of protection. This would allow for the transfer of personal data from EEA data subjects to these US organizations. The DPF website, provides among others materials, information on self-certification and a list of participating organizations. 
 
The decision is expected to face challenges. The organization “noyb”, which challenged the Privacy Shield Framework in the Schrems II decision, has already announced its intention to appeal the adequacy decision. Schrems III may be on the horizon.

Recommendations 

We recommend that companies that are based in the US or that transfer data to affiliates or related entities in the US undergo the process of self-certification with the DPF.

As part of the self-certification process, companies will need to demonstrate their compliance with the DPF principles and will need to register.

Companies that are not based in the US that are transferring personal data to service providers or other entities in the US, may want to reevaluate whether they can rely on the adequacy decision for such transfers, rather than the more involved process that has been required until now.

This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.

The information presented here is of a general nature and is not intended to answer the unique circumstances

of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future.

Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.

For the further information please contact us.

Want to know more?
Contact us

Shiri Menache

Head of Marketing and Business Development

Matan Bar-Nir

Press Officer, OH! PR