On 10 July 2023, the European Commission adopted its adequacy decision for the transfer of personal data from the EU to US companies in the private sector. The adequacy decision is an implementing act required by Art. 45 of the General Data Protection Regulation (GDPR). It is called the EU-US Data Privacy Framework (DPF).

The Commission’s adequacy decision and the DPF entered into force immediately. As a consequence, public and private entities from the European Economic Area (i.e., all the 27 EU Member States as well as Norway, Iceland, and Liechtenstein) are able to transfer personal data to companies in the US which certified their participation in the EU-US DPF.

It is the meanwhile third adequacy decision. The first two ones (the Safe Harbor framework and the Privacy Shield) were declared invalid by the CJEU (rulings in Schrems I (→eucrim 3/2015, 85) and Schrems II (→ eucrim 2/2020, 98-99)). According to the Commission, the new DPF takes into account the CJEU’s issues, in particular the access of personal data transferred by US authorities for criminal law enforcement and national security purposes. In over 190 recitals the Commission lays down its reasoning that the standard of data protection in the USA is essentially equivalent to the EU.

The DPF provides EU individuals whose data would be transferred to participating companies in the USA with several new safeguards, e.g., to obtain access to their data, or obtain correction/deletion of incorrect or unlawfully processed data. EU individuals will also have different redress mechanisms against US companies if their data were wrongly handled.

Regarding safeguards against the collection and use of EU citizen’s' personal data by US intelligence authorities, the Commission mainly relies on the Executive Order 14086 “Enhancing Safeguards for US Signals Intelligence Activities” and the complementing Regulation on the “Data Protection Review Court” issued by the U.S. Attorney General (→ eucrim 1/2023, 33). These documents provide for binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security, establish enhanced oversight, and include a new independent and impartial redress mechanism. The latter consists of two layers: First, EU individuals can complain about the collection and use of their data by US intelligence authorities before the “Civil Liberties Protection Officer” (CLPO) of the US intelligence community. This person is responsible for ensuring compliance with privacy and fundamental rights. In a second step, the complainant can appeal the CLPO’s decision before the newly created Data Protection Review Court (DPRC) which can act independently from the US government and take binding remedial decisions. The complainant’s interests are represented by a special advocate who will be selected by the court.

At the US part, the DPF will be administered and monitored by the US Department of Commerce. The US Federal Trade Commission will be competent to enforce compliance by US companies with their obligations under the DPF. The European Commission will continuously monitor relevant developments in the USA. A first review will take place within one year after the entry into force of the adequacy decision. Subsequently, the Commission will further decide on the periodicity of the reviews after consultation with the EU Member States and the data protection authorities.

Statements: The Commission's drafts of the adequacy decision were criticised in advance. Among others, the EDPB saw several shortcomings in relation to certain rights of data subjects and the EP was in favour to halt the adequacy decision (→ eucrim 1/2023, 33-34).

Max Schrems, who won the first two ECJ judgements against the Commission's adequacy decisions in relation to the USA and who has since founded the civil rights organisation nyob, criticised that the DPF is essentially a copy of the “Privacy Shield” and a substantial reform of the US surveillance law would have been needed in order to meet the ECJ’s rulings. He announced that nyob will also bring the third attempt to regulate EU-US data flows before the CJEU.

At the beginning of September 2023, French MP Philippe Latombe announced that he, too, will challgenge des DPF before the EU’s General Court. He argued that the DPF includes insufficient guarantees of respect for private and family life with regard to bulk collection of personal data and he found violations against procedural rules because the DPF was notified only in English and was not published in the EU's Official Journal.

By contrast, Věra Jourová, Commission Vice-President for Values and Transparency, defended the new adequacy decision and said that it “will provide legal certainty for businesses and will help further consolidate the EU as a powerful player in transatlantic markets, while remaining uncompromising on respecting fundamental right of Europeans for their data to be always protected.”