On July 10, 2023, the European Commission formally approved the EU-U.S. Data Privacy Framework (DPF) by adopting an “adequacy decision.” Adequacy decisions are one of the legal mechanisms under the EU’s General Data Protection Regulation (GDPR) for transferring personal data from the EU to third countries which, in the eyes of the European Commission, offer sufficient privacy and data protection. The DPF adequacy decision recognizes that, although the United States has a different approach to data protection than the EU, personal data transferred to the U.S. under the DPF is considered to be adequately protected in line with the GDPR’s rules on international data transfers. The European Commission takes the position that personal data can flow freely and safely from the EU to U.S. companies that are participating in the new Framework.
Transfers of personal data from the EU to the U.S. have generated much controversy over the past few years. In 2020, the Court of Justice of the EU invalidated the DPF’s predecessor, the EU-U.S. Privacy Shield, following a complaint by Austrian privacy activist Maximilian Schrems and his nonprofit organization NOYB — European Center for Digital Rights (known as the Schrems II case). In the Schrems II case, questions were raised about how personal data of EU users of social network Facebook was available to U.S. authorities (e.g., the National Security Agency) in a manner that was considered incompatible with the EU Charter of Fundamental Rights. The Court of Justice was particularly concerned that U.S. intelligence agencies could access personal data from EU individuals beyond what is necessary and proportionate and that there was no independent and impartial redress mechanism to handle complaints from EU individuals.