New EU-U.S. Adequacy Decision Spells Major Development in Transatlantic Data Transfers

On July 10, 2023, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework (DPF), providing a new legal basis for the transfer of personal data from EU member states to participating U.S. organizations. This development represents the most significant advancement in transatlantic data transfers since the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield in July 2020 in the Schrems II decision.

Background: From Safe Harbor to Privacy Shield to DPF

The EU-U.S. Data Privacy Framework is the third iteration of a bilateral arrangement enabling transfers of EU personal data to the United States:

• Safe Harbor (2000–2015): Invalidated by the CJEU in Schrems I
• Privacy Shield (2016–2020): Invalidated by the CJEU in Schrems II
• EU-U.S. Data Privacy Framework (2023–present): Adopted July 10, 2023

How to Join the Data Privacy Framework

U.S. organizations may self-certify to the DPF by completing a seven-step process administered by the U.S. Department of Commerce through the Data Privacy Framework Program:

1. Determine your organization’s eligibility (FTC or DOT jurisdiction required)
2. Develop a DPF-compliant privacy policy
3. Establish or update human resources data practices
4. Identify a designated independent recourse mechanism
5. Identify a U.S. government body as your supervisory authority
6. Develop verification procedures
7. Submit your self-certification through the DPF Program website and pay the applicable fee

Organizations must recertify annually.

Key Compliance Obligations Under the DPF

Self-certified organizations must comply with seven core principles and sixteen supplemental principles, including:

• Notice: Inform individuals about data collected, purposes, and rights
• Choice: Give individuals opt-out rights for data sharing with third parties and sensitive data
• Accountability for Onward Transfer: Ensure downstream recipients provide equivalent protection
• Security: Implement reasonable and appropriate security measures
• Data Integrity and Purpose Limitation: Limit processing to stated purposes; ensure data accuracy
• Access: Honor individuals’ rights to access and correct their data
• Recourse, Enforcement, and Liability: Provide effective dispute resolution mechanisms

U.K. and Swiss Extensions

The DPF also includes:

• U.K.-U.S. Data Bridge: Effective October 12, 2023 (for DPF-certified organizations)
• Swiss-U.S. Data Privacy Framework: For transfers from Switzerland

Impact on Other Transfer Mechanisms

For DPF-certified organizations, the adequacy decision provides a streamlined alternative to standard contractual clauses (SCCs) and binding corporate rules (BCRs). However, organizations should:

• Continue maintaining SCC agreements with EU-based processors/controllers that are not DPF-certified
• Evaluate whether SCC agreements should be updated to reference the DPF where applicable
• Assess whether BCRs remain appropriate for intra-group transfers

Future Developments

The DPF faces potential legal challenges. Max Schrems and NOYB have indicated readiness to file a CJEU challenge, and French MP Phillippe Latombe filed an annulment application in September 2023. Organizations should monitor developments and maintain alternative transfer mechanisms as a backup.

Despite these uncertainties, the DPF is currently valid and operative. Organizations that have not yet self-certified should consider doing so to benefit from this streamlined transfer mechanism while it remains available.