The EU-U.S. Data Privacy Framework is a set of rules that govern the transfer of personal data from the European Union (EU) to the United States. The European Commission adopted an adequacy decision for the EU-U.S. DPF on July 10, 2023, which in practice replaces its adequacy decision for the EU-U.S. Privacy Shield Framework that was invalidated by the Court of Justice of the European Union (CJEU) in 2020.
The EU-U.S. DPF includes a number of new safeguards to protect the privacy of EU citizens, including:
- Limitations on access to EU data by U.S. intelligence services. The framework limits the access of U.S. intelligence services to EU data to what is necessary and proportionate.
- Establishment of a Data Protection Review Court (DPRC). The DPRC is a new court that will be responsible for reviewing decisions by U.S. authorities to access EU data.
The adequacy decision is a formal decision by the European Commission that the United States provides an adequate level of protection for personal data transferred from the EU. This means that companies in the EU can transfer personal data to companies in the United States without having to put in place additional safeguards.
The EU-U.S. DPF and the European Commission’s adequacy decision for the EU-U.S. DPF together represent a significant step forward in the protection of the privacy of EU citizens. The EU-U.S. DPF provides a number of important safeguards for EU data, and the adequacy decision ensures that companies in the EU can continue to transfer personal data to companies in the United States consistent with EU law.
Note: The Data Privacy Framework (DPF) Program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables eligible U.S.-based organizations to self-certify their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. To participate in the DPF Program, a U.S.-based organization is required to self-certify to the ITA via the Department’s DPF Program website (https://www.dataprivacyframework.gov/) and publicly commit to comply with the DPF Principles. While the decision by an eligible U.S.-based organization to self-certify its compliance pursuant to and participate in the relevant part(s) of the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles that commitment is enforceable under U.S. law.