Data Protection Update: European Commission adopts EU-US adequacy decision

The adequacy decision for the EU-US Data Privacy Framework can be found here.

The adoption of the adequacy decision follows years of negotiations between the EU and the U.S., after the invalidation of the transfer mechanism EU-U.S. Privacy Shield by the Court of Justice of the European Union in the so-called Schrems II case in July 2020. The decision made immediate and significant implications for organizations around the world concerning, especially, business critical use of U.S. based services and cloud providers.

The adequacy decision will only apply to U.S. companies which are self-certified under Data Privacy Framework. According to the European Commission’s press release, US companies will be able to join the Data Privacy Framework by committing to comply with a detailed set of privacy obligations. U.S. companies currently self-certified under the Privacy Shield Framework will have access to a simplified procedure for self-certification under the Data Privacy Framework. The U.S. companies certified under the Data Privacy Framework will eventually be added to a list available at dataprivacyframework.gov.

Please note that there is still a requirement for transfer mechanisms, such as Standard Contractual Clauses, and transfer impact assessments for transfer of personal data to U.S. companies not (yet) certified under the Data Privacy Framework. The U.S. transfer impact assessments will, however, be less stringent and complicated as a result of the adequacy decision.