Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-US data flows

July 12, 2023
Ash Costello


View profile

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (the “Framework”).

The decision determines that the Framework ensures a level of data protection comparable to that of the European Union for personal data transferred from the EU to US companies.  The decision benefits businesses on both sides of the Atlantic, and provides greater protection for the personal data of individuals within the EU.

The safeguards put in place by the US will also facilitate transatlantic data flows more generally, as they also apply to the transfer of personal data using other tools such as standard contractual clauses and binding corporate rules.  This offers entities on both sides of the Atlantic the flexibility to tailor their privacy compliance to their own requirements.

EU based entities can transfer personal data safely from the EU to any US companies participating in the Framework, without needing any additional data protection safeguards such as standard contractual clauses. 

US based entities trading with the EU and participating in the Framework can streamline their privacy compliance to better manage their privacy risk.   As EU individuals have more and stronger remedies for data breaches, US based companies need to ensure they comply with the terms of the Framework. 

EU individuals will benefit from increased protection of their personal data, including:

  • several redress avenues in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.
  • access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC). The Court will independently investigate and resolve complaints, including by adopting binding remedial measures.
  • numerous safeguards regarding the access to data transferred under the framework by US public authorities, in particular for criminal law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security. 

Operation of the Framework

The functioning of the Framework will be subject to periodic reviews, to be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.

The first review will take place within a year of the entry into force of the adequacy decision, in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.

The Framework will be administered and monitored by the US Department of Commerce, while the US Federal Trade Commission will enforce US companies’ compliance.

UK based entities cannot rely on this Framework or adequacy decision.  However, it is hoped that transfers of personal data between the US and the UK can be similarly simplified before too long.  On 7 October 2022, the UK and US Governments issued a statement on UK-US data adequacy., confirming that significant progress was being made towards a conclusion.

How we can help

We are assessing the requirements of the Framework and the adequacy decision, and will be happy to assist entities to address the implications for their organizations. 

Please contact us if you would like to schedule a meeting.