European Commission adopts Adequacy Decision for Transatlantic Transfers of Personal Data
On 10 July 2023, the European Commission (EC) adopted an adequacy decision for the EU-U.S. Data Privacy Framework (DPF). Under EU law, an adequacy decision is a determination made by the EC that a given jurisdiction or a sector thereof, or an international organization, offers an adequate standard of protection of personal data. It hence allows for the unrestricted transfer of personal data from the EU to such a jurisdiction.
Previously, the US had installed two self-certification schemes that enjoyed adequacy status, but both have been annulled. More specifically, in Schrems II (2016), the Court of Justice of the EU (CJEU) held that the limitations to the protection of personal data, resulting from US authorities’ access to the said data for national security and law enforcement purposes, as well as the prescribed remedies, were not circumscribed in a such manner that met the necessary threshold of being “essentially equivalent” to those under EU law.
Therefore, the new arrangement, the DPF sets out to remedy these shortcomings, and to grant such a satisfactory level of protection to the individuals in the EU.