EU adopts Data Privacy Framework adequacy decision

On 10 July 2023 the European Commission issued an adequacy decision for the EU-U.S. Data Privacy Framework (DPF), enabling personal data transfers to participating U.S. organizations that commit to the framework's privacy principles. The decision followed U.S. executive actions establishing a Data Protection Review Court and limits on signals intelligence, addressing Schrems II concerns.

Framework structure

The DPF sets up a certification mechanism administered by the U.S. Department of Commerce. Participating organizations must publicly commit to privacy principles covering notice, choice, accountability, security, data integrity, access, and recourse. The framework introduces a two-tier redress mechanism: first through independent dispute resolution, then through the Data Protection Review Court for signals intelligence complaints.

Transfer impact assessment updates

Controllers relying on the DPF must verify vendor certification via the DoC list and update data processing agreements to reference DPF compliance. Privacy notices should inform data subjects of the legal basis for transfers to DPF-certified entities. If you are affected, document the adequacy decision in their transfer impact assessment records.

Alternative safeguards

Non-certified transfers still require alternative safeguards such as standard contractual clauses with supplementary measures. If you are affected, maintain SCCs as backup mechanisms and monitor certification status of key vendors. Mixed transfer arrangements may be necessary for vendors with partial certification coverage.

Monitoring requirements

The Commission will conduct periodic reviews of the adequacy decision. If you are affected, track challenges to the framework, particularly potential litigation similar to Schrems I and II. Legal teams should prepare contingency plans for framework invalidation scenarios.

Further reading

• European Commission press release
• Official Journal decision

Framework Overview

The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework on July 10, 2023, enabling personal data transfers from the European Union to certified US organizations without additional safeguards. The decision concludes that the United States ensures an adequate level of protection for personal data transferred under the framework, following significant reforms to US intelligence collection practices.

The framework succeeds the Privacy Shield, which was invalidated by the Court of Justice of the European Union in the Schrems II decision. US Executive Order 14086, issued in October 2022, addressed CJEU concerns by establishing binding safeguards limiting signals intelligence collection and creating a new redress mechanism for EU individuals.

Certification Requirements

US organizations must self-certify to the Department of Commerce to participate in the framework. Certification requires commitment to comply with Data Privacy Framework Principles including notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability.

Organizations must publish privacy policies describing framework participation and comply with ongoing obligations including annual re-certification, cooperation with EU data protection authorities for HR data, and participation in dispute resolution mechanisms. The Federal Trade Commission and Department of Transportation have enforcement authority for framework compliance.

Key Protections

Executive Order 14086 establishes binding safeguards on US signals intelligence activities, limiting collection to what is necessary and proportionate for defined national security objectives. Intelligence agencies must adopt updated policies and procedures implementing these requirements, with oversight by the Privacy and Civil Liberties Oversight Board.

The Data Protection Review Court provides an independent redress mechanism for EU individuals who believe their data was collected in violation of applicable safeguards. Individuals can lodge complaints with EU data protection authorities, which transmit complaints to the US for review. The court can order remedial measures including deletion of improperly collected data.

Organizational Implementation

Organizations currently relying on Standard Contractual Clauses or other transfer mechanisms for EU-US data flows should evaluate whether Data Privacy Framework certification would simplify compliance. Certification provides a simplified legal basis for transfers but requires ongoing compliance with framework principles and enforcement mechanisms.

Privacy policies must be updated to reflect framework participation and describe rights available to EU individuals. Internal procedures should address data subject access requests, complaint handling, and cooperation with oversight bodies. Training ensures personnel understand framework obligations and their roles in compliance.

Risk Considerations

While the adequacy decision provides legal certainty for EU-US transfers, you should consider potential future challenges. Privacy advocacy groups have announced intentions to challenge the decision before the CJEU, similar to challenges that invalidated Safe Harbor and Privacy Shield. Organizations may choose to maintain alternative transfer mechanisms as contingency measures.

Supplementary measures addressing specific data protection risks may remain advisable depending on data sensitivity and processing contexts. Risk assessments should consider the nature of data transferred, purposes of processing, and specific safeguards applicable to organizational circumstances.

Monitoring and Compliance

The Commission will conduct regular reviews of framework functioning, with the first review within one year of the adequacy decision. These reviews assess whether US protections continue to provide adequate safeguards and may result in modifications or suspension of the decision if deficiencies are identified.

If you are affected, monitor framework developments and maintain compliance programs capable of adapting to potential changes. Documentation of transfer activities and safeguards supports both internal governance and regulatory inquiries regarding data protection practices.

Summary

The EU-US Data Privacy Framework adequacy decision restores a simplified legal basis for transatlantic data transfers, addressing critical business needs while providing improved protections for EU individuals. If you are affected, evaluate certification benefits against compliance requirements and maintain awareness of potential legal developments affecting the framework's long-term stability.

Business Continuity Considerations

Organizations with critical EU-US data flows should develop contingency plans addressing potential framework invalidation or modification. Alternative transfer mechanisms including Standard Contractual Clauses should be evaluated and potentially implemented in parallel with framework certification. Business continuity planning should address both legal and operational implications of transfer mechanism disruption.

Engagement with legal counsel experienced in international data transfers supports informed decision-making about certification and contingency planning. Industry associations provide forums for sharing experiences and coordinating approaches to framework setup and risk management. Regular monitoring of CJEU proceedings and Commission reviews enables preventive response to potential developments affecting framework validity.

Investment in full data protection programs supports compliance regardless of specific transfer mechanism, positioning organizations for successful handling of evolving transatlantic data governance requirements.

early compliance preparation positions organizations for success in the evolving transatlantic data protection environment. Documentation of transfer activities and compliance decisions supports regulatory inquiries and shows organizational commitment to data protection.

Legal Framework and Safeguards

The EU-US Data Privacy Framework replaces Privacy Shield following Schrems II invalidation. US organizations self-certify annually, committing to binding data protection principles. The Data Protection Review Court provides EU individuals with independent redress mechanisms for alleged surveillance violations.

Implementation Requirements

Organizations must verify DPF certification status for US data importers and update transfer documentation. Transfer impact assessments may remain necessary for sensitive data categories. Records should demonstrate lawful basis reliance on the adequacy decision.

Monitoring and Compliance

Annual recertification obligations require ongoing commitment from US organizations. The European Commission monitors framework effectiveness with periodic reviews. Organizations should track legal developments affecting DPF validity given precedent of adequacy decision challenges.

Similar analysis

Additional analysis covering similar themes.

Compliance · Credibility 89/100 · May 16, 2023

Compliance — Crypto regulation

EU Council adopted MiCA regulation in May 2023, creating comprehensive crypto-asset regulation. Licensing, stablecoin reserves, and consumer protection requirements for crypto services in the EU.

Compliance · Credibility 71/100 · December 27, 2022

EU Digital Operational Resilience Act Published

The Digital Operational Resilience Act (DORA) was published in the EU Official Journal on 27 December 2022, setting uniform ICT risk, testing, and third-party oversight rules for financial entities ahead of a 2025…

Compliance · Credibility 71/100 · November 1, 2022

EU Digital Markets Act Enters Into Force

The EU Digital Markets Act took legal effect on 1 November 2022, starting the countdown to gatekeeper designations and the mid-2023 compliance obligations for large online platforms.

Compliance · Credibility 71/100 · October 7, 2022

EO 14086 implements EU-U.S. Data Privacy Framework safeguards

On 7 October 2022 President Biden signed Executive Order 14086, establishing new U.S. intelligence safeguards and redress mechanisms underpinning the EU-U.S. Data Privacy Framework.

Compliance · Credibility 87/100 · September 16, 2024

Compliance — NIS2 Directive

NIS2 transposition countdown was in full swing in September 2024. EU member states were racing to get national laws in place by the October 17 deadline. Some made it, others did not. Check your specific jurisdictions for…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

July 10, 2023

Coverage pillar

Compliance

Source credibility

91/100 — high confidence

Topics

Data Transfers · Privacy Shield Successor · Cross-Border Compliance · European Union

Sources cited

3 sources (ec.europa.eu, dataprivacyframework.gov, edpb.europa.eu)

Reading time

6 min

Further reading

1. EU-US DPF Adequacy Decision — ec.europa.eu
2. Data Privacy Framework — dataprivacyframework.gov
3. EDPB Transfer Guidance — edpb.europa.eu