The European Commission approved a new adequacy decision on the EU-US Data Privacy Framework on July 10, 2023. The European Commission issued a press release, stating that "[T]he decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards."
The Court of Justice of the European Union (CJEU) had previously deemed that the transfer of personal data from the EU to the US was deemed illegal in the Schrems II case. The much-anticipated decision provides EU companies transferring personal data to the US with an additional mechanism to legitimize their transatlantic data transfers. According to the European Commission, the EU-US Data Privacy Framework addresses all concerns raised by the CJEU, including with respect to access to EU data by US intelligence services and a redress mechanism with the creation of the Data Protection Review Court.
Organizations that are currently self-certified under the EU-US Privacy Shield Framework will have access to a simplified procedure for self-certification under the EU-US Data Privacy Framework. The European Commission will review the decision regularly, starting one year after it enters into force.