Fintech Compliance

All Fintech

Adequacy Decision for the US: Have You Updated Your Privacy Shield Policy Yet?

Jan 12, 2024




9 min read


The EU-US Adequacy Decision has been recently adopted, replacing the Privacy Shield to guide companies transferring data between the two countries through self-certification under the EU-US Data Privacy Framework. 

Participating organizations that previously self-certified according to the Privacy Shield will need to update their privacy policies to refer to the EU-US Data Privacy Framework Principles as soon as possible.

  • Is your company transferring data from the EU to the US?

  • Are you wondering how the EU-US Adequacy Decision will impact this certification and your international data transfers as a whole?

  • Have you already updated your Privacy Policy to refer to its Principles?

This article addresses the frequently asked questions (FAQs) on the EU-US Adequacy Decision we get from our clients. Our international compliance experts answered them to empower you as you proceed to self-certify under the EU-US Data Privacy Framework or make updates to your global privacy policy.

Subject-matter experts with decades of experience wrote this analysis; not freelance copywriters, third-party agencies, or AI-based tools. We are global regulatory compliance experts.

Adequacy Decision for the US
Adequacy Decision for the US

What is an Adequacy Decision?

The Adequacy Decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries. It is a formal declaration by the European Commission designating some non-European Union (EU) countries or territories as providing an adequate level of data protection for personal data transferred from the EU.

Essentially, it signifies that the data protection laws and practices in that country or territory are deemed equivalent to the standards set by EU data protection laws. In other words, international data transfers under adequacy decisions are equal to intra-EU transfers.

As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland, and Liechtenstein, to a third country or territory, without being subject to additional conditions or safeguards.

The adequacy decision is derived from a thorough assessment of the legal framework in multiple countries, encompassing regulations concerning data importers and the restrictions imposed on public authorities' access to personal data.

Which countries and territories have adequacy decisions issued by the European Commission?

As of November 2023, The European Commission has recognized the following 15 countries and territories as providing adequate protection:

  • Andorra

  • Argentina

  • Canada (commercial organizations)

  • Faroe Islands

  • Guernsey

  • Israel

  • Isle of Man

  • Japan

  • Jersey

  • New Zealand

  • Republic of Korea

  • Switzerland

  • United Kingdom

  • the United States (commercial organizations participating in the EU-US Data Privacy Framework), and

  • Uruguay 

Adequacy Decision Countries

Is The EU-US Adequacy Decision the Same as the Privacy Shield?

The EU-US Adequacy Decision and the Privacy Shield are not the same, although they are very similar. The Court of Justice of the European Union invalidated the Privacy Shield and replaced it with the EU-US data Privacy Framework in 2023.

The Privacy Shield was invalidated on the basis that:

  1. the data processing by the US signals intelligence gathering activities was neither necessary nor proportionate; and

  2. the ombudsperson was not sufficiently independent and objective for individuals to seek redress in relation to the improper use of their personal data from the US government.

Practical Tip I: US Companies that copied the language of the Privacy Shield in their privacy policies should update them to accurately reflect the text of the EU-US Data Privacy Framework. 

What is the Adequacy Decision for the EU-US Data Privacy Framework?

On July 10, the European Commission adopted the long-awaited adequacy decision for the EU-US Data Privacy Framework. The Commission assessed various US laws and regulations and concluded that the United States ensures an adequate level of protection compared to the EU. This adequacy decision enables personal data transfers from EU controllers and processors to certified US organizations without the need for additional authorization.

The EU-US framework for data privacy introduces new binding safeguards to address the concerns raised by the CJEU in its Schrems II decision of July 2020. Two of CJEU’s main concerns were:

  • the disproportionate and unnecessary access of US intelligence services to EU personal data and

  • the lack of an effective redress mechanism for Europeans regarding US authorities unlawfully handling their personal data.

To address the CJEU’s concerns, the US adopted Executive Order (EO) 14086 and the Regulation on the Data Protection Review, providing stronger privacy safeguards for European personal data when accessed by US intelligence services. What was done in practice was:

  • limiting US intelligence services’ access to what is necessary and proportionate to national security; 
    adding oversight of US intelligence authorities’ activities and;

  • creating a new redress mechanism by establishing a “Data Protection Review Court” (DPRC).

Practical Tip II: The national security commitments made in the Executive Order and the redress mechanism apply to all transfers, including transfers through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). 

Improvements Brought by Adequacy Decision vs Privacy Shield

The new Adequacy Decision Framework introduced significant improvements compared to the mechanism under the Privacy Shield. These three are worth noting:

  1. DPRC Authority Over Data Deletion. One notable improvement is that the DPRC will have the authority to order the deletion of data if it determines that the data was collected in breach of the newly established safeguards.

  2. Upheld No Concerns Over Commercial Entities. The primary focus of the CJEU's concerns revolved around the safeguards related to US intelligence operations. There were no specific concerns regarding the obligations of commercial entities. Therefore, the new framework’s commercial principles did not change much compared to the EU-US Privacy Shield, except for the inclusion of key-coded data.

  3. Alignment with GDPR. Last but not least, changes were made to references from the previous Data Protection Directive 95/46/EG to align with the GDPR's language. 

Practical Tip III: The EU-US Adequacy Decision does not exempt US companies from complying with the GDPR.

EU-US Data Privacy Framework Evolution Timeline

The table below provides a comprehensive overview of the main events that led to the adoption of the EU-US Data Privacy Framework.

EU US Data Privacy Framework

How does the EU-US Adequacy Decision Impact US and EU Companies?

Overall, the Adequacy Decision enables frictionless personal data transfer between the EU and the US while ensuring an adequate level of data protection under the GDPR.

Recognizing the US as providing an adequate level of data protection can increase the trust between EU and US companies, potentially leading to increased business opportunities and partnerships. Also, US companies participating in the EU-US framework for data privacy can receive personal data from the EU without needing to implement additional safeguards. The same is true for EU companies.

Adequacy Decision Benefits For US and EU Entities

The table below summarizes what the EU-US Adequacy Decision actually means for US and EU companies. As can be seen, the Adequacy Decision provides both EU and US companies with significant advantages.

Adequacy Decision Benefits

EU individuals whose data is transferred to participating US companies gain access to redress mechanisms, such as independent dispute resolution, arbitration panels and lodging complaints with the independent Data Protection Review Court for matters related to national security activities. 

Need help with fintech compliance?

Fill out the form below and our experts will get back to you.

What Are the Practical Implications of the EU-US Data Privacy Framework on EU Businesses?

Clearly, with the certification requirement the EU-US Privacy Framework puts the burden on US companies. However, as pointed out by PWC, EU entities might want to consider the following: 

Map Out Your Data Transfers

Map out all data transfers to US organizations to verify whether the recipients are certified under the EU-US Data Privacy Framework.

Review and Update Your Privacy Policy

Revise and align your Privacy Policy with the changes related to international data transfers.

Review Your Commercial Agreements

Last but not least, make sure that your commercial agreements are written in accordance with the GDPR’s requirements when choosing to rely on the this Framework.

How Do US Companies Self-Certify Under the EU-US Data Privacy Framework?

US companies can self-certify under the EU-US Data Privacy Framework, and renewal of this certification is required annually.

The EU-US Framework is administered by the US Department of Commerce (DoC) while the US Federal Trade Commission (FTC) enforces compliance with the Framework by US companies.

As such, only US legal entities subject to the jurisdiction of the Federal Trade Commission or the US Department of Transportation are currently eligible to participate.

By certifying under the EU-US Data Framework, US companies commit to comply with a set of privacy obligations similar to the core GDPR principles (the EU-US Framework Principles), for instance, data minimization, purpose limitation, accountability, etc.

The US Department of Commerce launched the Data Privacy Framework (DPF) program website, enabling eligible US companies to self-certify their participation in the EU-US framework for data privacy.

EU-US Data Privacy Framework Self-Certification Process

Do you want to participate in cross-border economic activities between the US and EU, such as ecommerce, political campaigns, social engagement, etc?

Self-certify to comply with the EU-US Adequacy Decision!

Follow this 8-step process outlined by the US Department of Commerce and the European Commission:

1. Confirm your company’s eligibility to participate in the EU-US Data Privacy Framework. 

2. Develop a Privacy Policy compliant with the EU-US Data Privacy Principles.

3. Ensure that your company has in place an appropriate independent recourse mechanism for each type of personal data covered by your self-certification.

4. Make the required contribution for the Annex I Binding Arbitration Mechanism.

5. Ensure that your company’s Verification Mechanism is in place. 

6. Designate a contact person responsible for framework Compliance.

7. Prior to submission, double-check the information required to self-certify

8. Submit your company’s self-certification to the US Department of Commerce’s International Trade Administration (ITA). 

Adequacy Decision Steps

Does the EU-US Data Privacy Framework Apply to Transfers from the UK to the US?

Due to Brexit, the EU-US Data Privacy Framework does not apply to data transfers from the UK to the US.

However, the UK government has published its own adequacy decision to allow transfers of personal data from the UK to US self-certified companies under the Framework. In other words, the UK Adequacy Decision creates a “UK Extension” that took effect on October 12, 2023.

In practical terms, US companies that wish to receive personal data per the UK Extension must:

  1. be listed on the EU-US Data Privacy Framework, and

  2. participate in the UK Extension

The companies’ self-certification submissions to the ITA and their privacy policies will reflect these compliance commitments.

What to Expect in the Future?

As with all Adequacy Decisions, the EU-US framework for data privacy will be subject to periodic reviews to verify that the Framework is functioning effectively in practice.

The first review will take place within a year of Adequacy Decision entry into force (in 2024). It will be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.

This decision could then be amended or withdrawn depending on the outcome of the periodic reviews.

The Adequacy Decision - Key Takeaways

In summary, the EU-US Data Privacy Framework affirms that the United States provides an adequate level of data protection, facilitating seamless transfers of personal data between the EU and the US.

  • US companies participating in the EU-US Framework can receive personal data from the EU without implementing additional safeguards.

  • For EU companies, the Adequacy Decision enhances the rights of individuals and establishes a redress mechanism for national security concerns.

Overall, the Adequacy Decision promotes the smooth flow of data across the Atlantic while upholding data protection standards in alignment with the GDPR.

How Can InnReg Help?

InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.

We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.

If you need help with compliance, reach out to our regulatory experts today:

Published on Nov 1, 2023


Last updated on Jan 12, 2024

Latest LinkedIn Posts