On 10 July 2023, the European Commission introduced a new adequacy decision within the framework of the EU-US Data Privacy Framework. This decision is a response to the challenges posed by the 2020 Schrems II ruling, which invalidated the Privacy Shield framework. The ruling made it difficult to transfer data from the EU to the US within the framework of the GDPR.
American measures
In response to this challenge, the United States adopted an executive order in October 2022, introducing stronger safeguards for European citizens' data. Nevertheless, it is important to note that an executive order is not a permanent solution and may be changed by future administrations.
After a period of review, the European Commission considered these changes in US legislation to be sufficient, leading to the new adequacy decision.
New decision by the European Commission
Despite the European Commission's new adequacy decision, uncertainty remains, especially given that US authorities still have the right to request personal data from US cloud service providers within the EU. Experts and critics, such as Max Schrems from the organisation NOYB, point out that the fundamental problems with US surveillance laws remain.
“We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ — but no substantial change in US surveillance law.” - Max Schrems
Three important points regarding the adequacy decision
Restrictions on data transfers to the United States
Recipients of data transfers in the United States are required to certify under the adequacy decision. The decision does not therefore allow transfers to the United States in general.
The ongoing conflict with GDPR
US laws give their authorities the right to request personal data from American cloud services in the EU, which is a continuing conflict with the GDPR, according to NYOB.
Level of protection in the EU
Organisations within the EU must ensure the level of protection required by the GDPR. The decision was met with criticism that effective protection cannot be guaranteed when third-country legislation may allow interference with the rights of European individuals.
Would you like to deepen your knowledge of how the adequacy decision affects your company? Download our guide to cloud compliance for more information.
