In a significant development within the realm of data privacy international law, the European Commission gave official sanction to the EU-U.S. Data Privacy Framework (DPF) on July 10, 2023, by instituting an ‘adequacy decision’. In the context of the General Data Protection Regulation (GDPR), ‘adequacy decisions’ act as the primary legal instrument for the transfer of personal data from EU territories to those nations deemed by the entity to guarantee ample measures for privacy and data protection.
The DPF’s ‘adequacy decision’ acknowledges the divergences between EU and U.S. approaches to data protection and recognizes that the transference of personal data to the U.S. under the DPF ensures protection in concurrence with GDPR’s stipulations regarding international data transfers. In light of this development, the European Commission asserts that personal data can safely and freely flow from the EU to those U.S. commercial establishments that are constituents of this new Framework.
It’s worth noting that previous efforts for the transfer of personal data from the EU to the U.S. garnered a considerable amount of controversy. In an infamous case from 2020, the EU-U.S. Privacy Shield, a predecessor to the DPF, was invalidated by the Court of Justice of the EU following a complaint issued by Austrian privacy activist Maximilian Schrems and his nonprofit organization NOYB — The European Center for Digital Rights, known as the Schrems II case.
Entities that are considering or currently engaged in the transfer of personal data from the EU to the U.S. would benefit from scrutinizing, on a case-by-case basis, the pros and cons of aligning with the new EU-U.S. Data Privacy Framework as opposed to leveraging one of the other data transfer methods available under the GDPR.
More details can be obtained from this article.