EU-US Data Privacy Framework

On the 10th of July 2023, the European Commission adopted its adequacy decision on the EU-US Data Privacy Framework.

The adequacy decision was largely the result of safeguard issues that were raised in the 2020 Schrems II decision of the Court of Justice of the European Union. It ensures that data can be transferred from the EEA to a third country with an adequate level of protection comparable to that of the EU.

As a consequence of the adequacy decision, European controllers and processors can transfer data from the EEA to the US without the need to place any additional safeguarding measures.

The adequacy decision provides for new avenues for redress for individuals whose data is transferred from EEA to the US. In case data subjects feel that their data protection rights have been allegedly infringed, they have a right to lodge a complaint with our office. Pursuant to the adequacy decision, we will channel, via the secretariat of the European Data Protection Board, the complaint to the redress mechanism. Naturally, data subjects will be kept informed about the outcome of their complaints.

During its July plenary meeting, the EDPB adopted the information note for individuals and entities transferring data to the U.S.. This note aims to provide concise and objective information regarding the impact of the adequacy decision on transfers to the U.S., the redress mechanisms available under the Data Privacy Framework (DPF), and the new redress mechanism in the area of national security.