The EU-US Adequacy Decision has been recently adopted, replacing the Privacy Shield to guide companies transferring data between the two countries through self-certification under the EU-US Data Privacy Framework.
Participating organizations that previously self-certified according to the Privacy Shield will need to update their privacy policies to refer to the EU-US Data Privacy Framework Principles as soon as possible.
- Is your company transferring data from the EU to the US?
- Are you wondering how the EU-US Adequacy Decision will impact this certification and your international data transfers as a whole?
Subject-matter experts with decades of experience wrote this analysis; not freelance copywriters, third party agencies, or AI-based tools. We are global regulatory compliance experts.
What is an Adequacy Decision?
The Adequacy Decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries. It is a formal declaration by the European Commission designating some non-European Union (EU) countries or territories as providing an adequate level of data protection for personal data transferred from the EU.
Essentially, it signifies that the data protection laws and practices in that country or territory are deemed equivalent to the standards set by EU data protection laws. In other words, international data transfers under adequacy decisions are equal to intra-EU transfers.
As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland, and Liechtenstein, to a third country or territory, without being subject to additional conditions or safeguards.
The adequacy decision is derived from a thorough assessment of the legal framework in multiple countries, encompassing regulations concerning data importers and the restrictions imposed on public authorities' access to personal data.
Which countries and territories have adequacy decisions issued by the European Commission?
As of November 2023, The European Commission has recognized the following 15 countries and territories as providing adequate protection:
- Canada (commercial organizations)
- Faroe Islands
- Isle of Man
- New Zealand
- Republic of Korea
- United Kingdom
- the United States (commercial organizations participating in the EU-US Data Privacy Framework), and
Is The EU-US Adequacy Decision the Same as the Privacy Shield?
The EU-US Adequacy Decision and the Privacy Shield are not the same, although they are very similar. The Court of Justice of the European Union invalidated the Privacy Shield and replaced it with the EU-US data Privacy Framework in 2023.
The Privacy Shield was invalidated on the basis that:
- the data processing by the US signals intelligence gathering activities was neither necessary nor proportionate; and
- the ombudsperson was not sufficiently independent and objective for individuals to seek redress in relation to the improper use of their personal data from the US government.
|Practical Tip I: US Companies that copied the language of the Privacy Shield in their privacy policies should update them to accurately reflect the text of the EU-US Data Privacy Framework.|
What is the Adequacy Decision for the EU-US Data Privacy Framework?
On July 10, the European Commission adopted the long-awaited adequacy decision for the EU-US Data Privacy Framework. The Commission assessed various US laws and regulations and concluded that the United States ensures an adequate level of protection compared to the EU. This adequacy decision enables personal data transfers from EU controllers and processors to certified US organizations without the need for additional authorization.
The EU-US framework for data privacy introduces new binding safeguards to address the concerns raised by the CJEU in its Schrems II decision of July 2020. Two of CJEU’s main concerns were:
- the disproportionate and unnecessary access of US intelligence services to EU personal data and
- the lack of an effective redress mechanism for Europeans regarding US authorities unlawfully handling their personal data.
To address the CJEU’s concerns, the US adopted Executive Order (EO) 14086 and the Regulation on the Data Protection Review, providing stronger privacy safeguards for European personal data when accessed by US intelligence services. What was done in practice was:
- limiting US intelligence services’ access to what is necessary and proportionate to national security;
adding oversight of US intelligence authorities’ activities and;
- creating a new redress mechanism by establishing a “Data Protection Review Court” (DPRC).
|Practical Tip II: The national security commitments made in the Executive Order and the redress mechanism apply to all transfers, including transfers through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).|
Improvements Brought by Adequacy Decision vs Privacy Shield
The new Adequacy Decision Framework introduced significant improvements compared to the mechanism under the Privacy Shield. These three are worth noting:
- DPRC Authority Over Data Deletion. One notable improvement is that the DPRC will have the authority to order the deletion of data if it determines that the data was collected in breach of the newly established safeguards.
- Upheld No Concerns Over Commercial Entities. The primary focus of the CJEU's concerns revolved around the safeguards related to US intelligence operations. There were no specific concerns regarding the obligations of commercial entities. Therefore, the new framework’s commercial principles did not change much compared to the EU-US Privacy Shield, except for the inclusion of key-coded data.
- Alignment with GDPR. Last but not least, changes were made to references from the previous Data Protection Directive 95/46/EG to align with the GDPR's language.
|Practical Tip III: The EU-US Adequacy Decision does not exempt US companies from complying with the GDPR.|
EU-US Data Privacy Framework Evolution Timeline
The table below provides a comprehensive overview of the main events that led to the adoption of the EU-US Data Privacy Framework.
How does the EU-US Adequacy Decision Impact US and EU Companies?
Overall, the Adequacy Decision enables frictionless personal data transfer between the EU and the US while ensuring an adequate level of data protection under the GDPR.
Recognizing the US as providing an adequate level of data protection can increase the trust between EU and US companies, potentially leading to increased business opportunities and partnerships. Also, US companies participating in the EU-US framework for data privacy can receive personal data from the EU without needing to implement additional safeguards. The same is true for EU companies.
The table below summarizes what the EU-US Adequacy Decision actually means for US and EU companies. As can be seen, the Adequacy Decision provides both EU and US companies with significant advantages.
Adequacy Decision Benefits For US and EU Entities
|US Companies||EU Companies|
|Simplified Data Transfers|
Simplified Compliance Processes
|Enhanced Rights for Individuals|
EU individuals whose data is transferred to participating US companies gain access to redress mechanisms, such as independent dispute resolution, arbitration panels and lodging complaints with the independent Data Protection Review Court for matters related to national security activities.
What Are the Practical Implications of the EU-US Data Privacy Framework on EU Businesses?
Clearly, with the certification requirement the EU-US Privacy Framework puts the burden on US companies. However, as pointed out by PWC, EU entities might want to consider the following:
Map Out Your Data Transfers
Map out all data transfers to US organizations to verify whether the recipients are certified under the EU-US Data Privacy Framework.
Review Your Commercial Agreements
Last but not least, make sure that your commercial agreements are written in accordance with the GDPR’s requirements when choosing to rely on the this Framework.
How Do US Companies Self-Certify Under the EU-US Data Privacy Framework?
US companies can self-certify under the EU-US Data Privacy Framework, and renewal of this certification is required annually.
The EU-US Framework is administered by the US Department of Commerce (DoC) while the US Federal Trade Commission (FTC) enforces compliance with the Framework by US companies.
As such, only US legal entities subject to the jurisdiction of the Federal Trade Commission or the US Department of Transportation are currently eligible to participate.
By certifying under the EU-US Data Framework, US companies commit to comply with a set of privacy obligations similar to the core GDPR principles (the EU-US Framework Principles), for instance, data minimization, purpose limitation, accountability, etc.
The US Department of Commerce launched the Data Privacy Framework (DPF) program website, enabling eligible US companies to self-certify their participation in the EU-US framework for data privacy.
EU-US Data Privacy Framework Self-Certification Process
Do you want to participate in cross-border economic activities between the US and EU, such as ecommerce, political campaigns, social engagement, etc?
Self-certify to comply with the EU-US Adequacy Decision!
Follow this 8-step process outlined by the US Department of Commerce and the European Commission:
|1. Confirm your company’s eligibility to participate in the EU-US Data Privacy Framework.|
|3. Ensure that your company has in place an appropriate independent recourse mechanism for each type of personal data covered by your self-certification|
|4. Make the required contribution for the Annex I Binding Arbitration Mechanism|
|5. Ensure that your company’s Verification Mechanism is in place.|
|6. Designate a contact person responsible for framework Compliance|
|7. Prior to submission, double-check the information required to self-certify.|
|8. Submit your company’s self-certification to the US Department of Commerce’s International Trade Administration (ITA).|
Does the EU-US Data Privacy Framework Apply to Transfers from the UK to the US?
Due to Brexit, the EU-US Data Privacy Framework does not apply to data transfers from the UK to the US.
However, the UK government has published its own adequacy decision to allow transfers of personal data from the UK to US self-certified companies under the Framework. In other words, the UK Adequacy Decision creates a “UK Extension” that took effect on October 12, 2023.
In practical terms, US companies that wish to receive personal data per the UK Extension must:
- be listed on the EU-US Data Privacy Framework, and
- participate in the UK Extension
The companies’ self-certification submissions to the ITA and their privacy policies will reflect these compliance commitments.
What to Expect in the Future?
As with all Adequacy Decisions, the EU-US framework for data privacy will be subject to periodic reviews to verify that the Framework is functioning effectively in practice.
The first review will take place within a year of Adequacy Decision entry into force (in 2024). It will be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.
This decision could then be amended or withdrawn depending on the outcome of the periodic reviews.
The Adequacy Decision - Key Takeaways
In summary, the EU-US Data Privacy Framework affirms that the United States provides an adequate level of data protection, facilitating seamless transfers of personal data between the EU and the US.
- US companies participating in the EU-US Framework can receive personal data from the EU without implementing additional safeguards.
- For EU companies, the Adequacy Decision enhances the rights of individuals and establishes a redress mechanism for national security concerns.
Overall, the Adequacy Decision promotes the smooth flow of data across the Atlantic while upholding data protection standards in alignment with the GDPR.
How Can InnReg Help?
Our strong regulatory and compliance team with EU subject-matter expertise, InnReg is well-positioned to offer the following support regarding the EU-US framework for data privacy in general and the Adequacy Decision, in particular:
- Help you understand your obligations arising out of the Framework;
- Support the process of self-certification under the Adequacy Decision;
- Provide up-to-date information on compliance requirements and ongoing monitoring by the US Department of Commerce.
Get in touch with us at firstname.lastname@example.org or call us at 305-908-1160 for your free consultation!
InnReg is a team of over 30 Regulatory Compliance and Innovation Consulting experts helping fintechs succeed in highly regulated markets since 2013. InnReg specializes on mitigating regulatory risk while helping clients launch and grow innovative fintech products and services.