Compliance Briefing — EU adopts Data Privacy Framework adequacy decision

On 10 July 2023 the European Commission issued an adequacy decision for the EU-U.S. Data Privacy Framework (DPF), enabling personal data transfers to participating U.S. organizations that commit to the framework’s privacy principles. The decision followed U.S. executive actions establishing a Data Protection Review Court and limits on signals intelligence, addressing Schrems II concerns.

Controllers relying on the DPF must verify vendor certification via the U.S. Department of Commerce list and update contracts and privacy notices accordingly. Non-certified transfers still require alternative safeguards such as standard contractual clauses with supplementary measures.

• European Commission press release announces the adequacy decision and oversight mechanisms.
• Official Journal decision provides the legal text and requirements for certified organizations.