On 10 July 2023, the European Commission adopted a new adequacy decision establishing the EU-US Data Privacy Framework. The Commission established in its decision that the United States ensures an adequate level of protection, pursuant to Article 45 GDPR, for personal data transferred from the European Economic Area to organisations in the US that are included in the “Data Privacy Framework List”, which is maintained and made public by the US Department of Commerce. Organisations that wish to transfer personal data to the US under the Data Privacy Framework are obliged to verify whether the data importer is self-certified and included on the list.
This adequacy decision replaces the former adequacy decision establishing the EU-US Privacy Shield, which was invalidated by the Court of Justice of the European Union (CJEU) in a resounding judgment of 16 July 2020 (Schrems II judgment).
Based on the new adequacy decision, personal data can henceforth flow “securely” from the EEA to self-certified US organisations participating in the Data Privacy Framework without the organisations having to implement additional technical, organisational or contractual safeguards and measures to protect personal data.
The adequacy decision was adopted on 10 July 2023 and is immediately applicable. Companies that were self-certified under the EU-US Privacy Shield are also automatically self-certified under the Data Privacy Framework (provided they take certain actions by October 2023).
The question remains how long this adequacy decision will stand, as Max Schrems’ privacy organisation (NOYB – None Of Your Business) has already indicated that it will challenge the new decision as “the allegedly ‘new’ Trans-Atlantic Data Privacy Framework is largely a copy of the failed ‘Privacy Shield’” and “the fundamental problem with FISA 702 was not addressed by the US, as the US still takes the view that only US persons are worthy of constitutional rights”.This is why it might be advisable for organisations to still include a fall-back mechanism with Standard Contractual Clauses in case of long-term data sharing agreements.