by Laura Fannin , Geileis Garrett August-09-2023 in Data Protection

The European Commission has adopted its adequacy decision for the EU-US Data Privacy Framework (“DPF”) and has concluded that the United States ensures an adequate level of protection for personal data transferred under the DPF from a controller or processor in the European Union to certified organisations in the US.  This decision should offer legal certainty to companies transferring personal data between the EU and US.

The predecessor to the DPF was the Privacy Shield, which previously facilitated the free-flow of personal data from the EU to US. However, the Privacy Shield was invalidated in July 2020 in the case of the Data Protection Commissioner v Facebook Ireland Limited and Maximilliam Schrems (“Schrems II”). Following the court’s judgement in Schrems II, the European Commission entered into talks with the US government with a view to a possible new adequacy decision. The DPF introduces new binding safeguards to address the concerns raised in Schrems II, including limiting access to EU data by US intelligence services to what is necessary and proportionate.


Transferring Data outside the EEA

In order to transfer personal data outside of the EEA, organisations must comply with Chapter V of the GDPR, which requires that certain transfer mechanisms be put in place to ensure that any personal data transferred is protected to a level that is essentially equivalent to that guaranteed by the GDPR. The two most common transfer mechanisms used by organisations are EU Commission Adequacy Decisions and Standard Contractual Clauses (“SCCs”).

An adequacy decision means that the European Commission has decided that a non-EEA country, known in data protection law as a third country, ensures an adequate level of data protection. The effect of such a decision is that personal data can flow from the EEA to a third country without any further safeguard being necessary. In other words, the transfer is the same as if it was carried out within the EU.

As such, the DPF means that European entities are able to transfer personal data to certified organisations in the US, in the same way as intra-EU transmissions of personal data.


Certified Organisations

The DPF is based on a system of certification by which US organisations commit to a set of privacy principles (“the Principles”), issued by the US Department of Commerce (“DoC”). The Principles apply to any personal data transferred from the EU to organisations in the US that have certified their adherence to the Principles with the DoC. To be eligible for certification, an organisation must be subject to the investigatory and enforcement powers of the Federal Trade Commission or the US Department of Transportation. The DPF will be administered and monitored by the DoC.



The DPF requires organisations to provide recourse for individuals who are affected by non-compliance. The DPF requires that organisations give EU individuals the possibility to lodge complaints regarding non-compliance and to have these complaints resolved, if necessary by a decision providing an effective remedy.

Individuals can submit a complaint to their national data protection authority and complaints will then be transmitted to the US by the European Data Protection Board. Complaints will be investigated by a “Civil Liberties Protection Officer”, who is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights. Individuals have the possibility to appeal against the decision of the Civil Liberties Protection Officer to a newly established Data Protection Review Court (“DPRC”) to handle and resolve complaints from individuals concerning US signals intelligence activities. Any individual in the EU is entitled to submit a complaint to the redress mechanism concerning an alleged violation of US law governing signals intelligence activities that adversely affects their privacy and civil liberties interests.


Access and use of personal data transferred from the EU to public authorities in the US

Any interference in the public interest, in particular for criminal law enforcement and national security purposes, by US public authorities with the fundamental rights of individuals whose personal data are transferred from the EU to the US under the DPF, will be limited to what is strictly necessary to achieve the legitimate objective in question, and legal protection against such interference exists. The new safeguards in the area of government access to personal data will complement the obligations that US companies importing data from the EU will have to subscribe to.


Monitoring and review of the decision

The European Commission will continuously monitor relevant developments in the US in order to assess whether the US still ensures an essentially equivalent level of protection. The European Commission has stated that the first review will take place within a year of the entry into force of the adequacy decision, in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.

Back to Full News