by 
The European Commission has adopted an adequacy decision for the European Union – United States (EU-US Data Privacy Framework (DPF). Within the framework of this adequacy decision; starting from July 10, 2023, personal data will be freely and securely transferred between the European Union and participating United States companies.
Background of the decision
Since 2021, data transfers between the EU and the US have lacked a legal basis. Although the Commission had previously facilitated the transfer of personal data from the European Economic Area to the USA, under the scope of Article 45 of the GDPR (General Data Protection Regulation) through adequacy decisions known as Safe Harbor and Privacy Shield, these decisions became invalid due to the Schrems I and Schrems II decisions by the EU Court of Justice.
The Schrems II decision led the Court of Justice of the European Union (CJEU) to invalidate the Privacy Shield Framework, which was a mechanism for transferring personal data from the EU to the USA. The decision identified issues with US law that prevented ‘US data recipients’ from ensuring a data protection standard equivalent to that offered in the EU. These issues included the broad authority of US intelligence agencies to access personal data under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order 12333, without proper mechanisms for oversight or legal recourse for ‘EU data subjects’ / Executive Order 12333, lacking appropriate mechanisms for oversight or legal redress for EU data subjects. FISA 702 empowers US intelligence agencies to gather data on non-US individuals abroad, particularly for foreign intelligence and national security reasons, including intercepting communications, all within the scope of potential legal recourse.
In October 2022, US President Joe Biden signed Executive Order 14086 on “Enhancing Safeguards for US Signals Intelligence Activities”, which established a set of rules and safeguards to appropriately and proportionately limit US intelligence agencies’ access to data. This action led US intelligence agencies to adopt procedures to protect national security while ensuring effective oversight of new privacy and civil liberties protection standards. Additionally, it introduced a new two-tier redress system to investigate and address complaints from individuals in the EU regarding access by US intelligence agencies, including the establishment of an independent Data Protection Review Court.
Based on EO 14086, the EU-US Data Privacy Framework (DPF) was developed collaboratively by the US Department of Commerce and the European Commission. Its purpose is to provide US organizations with reliable mechanisms for transferring personal data from the EU to the US while ensuring adequate data protection.
Obligations and New Mechanisms for Data Security
Adequate protection and binding safeguards
The DPF aims to introduce new safeguards that address the concerns raised by the European Court of Justice in its Schrems II decision. The framework specifies that limitations on the protection of personal data can only be established through regulations enacted by law, and these laws must be in accordance with EU data protection regulations. The decision concluded that this framework guarantees an adequate level of protection for personal data transferred from the EU to US companies through the DPF and US domestic law, including EO 14086.
Compared to the Privacy Shield Agreement, the DPF allows US intelligence services to access EU residents’ data only when it is necessary and proportionate to protect national security. Conversely, the DPF establishes a Data Protection Review Court to investigate complaints from EU residents. The court may decide to delete such data if it violates the new safeguard measures introduced by the DPF.
Certification requirement
To avail the benefits of the DPF, US-based companies must certify their commitment to a set of privacy principles issued by the US Department of Commerce. To be eligible for certification, an organization must be subject to the investigatory and enforcement powers of either the Federal Trade Commission (FTC) or the US Department of Transportation
To receive certification under the DPF, organizations are obligated to publicly declare their commitment to complying with the principles, making their privacy policies available, and fully implementing them
Organizations that have not obtained certification in this context will not be permitted to transfer data from the EU.
Redress and dispute resolution mechanism and arbitration panel
EU individuals have various avenues for seeking redress if their data is mishandled by US companies. These avenues include independent dispute resolution mechanisms and an arbitration panel, which provide accountability and protection for individuals.
Periodic reviews
The operation of the DPF will be subject to periodic reviews to ensure its effectiveness and full implementationensuring its continued alignment with data protection standards and legal requirements.
These reviews will be conducted by the European Commission in collaboration with representatives from European data protection authorities and competent US authorities. The first review is scheduled to take place within a year of the adequacy decision coming into effect.
