The European Union has finally adopted an adequacy decision on the US-EU Data Privacy Framework (DPF), which means that the EU has concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies under the framework. This decision follows years of negotiations between the EU and the US, after the invalidation of the previous adequacy decision on the EU-US Privacy Shield by the Court of Justice of the EU in 2020.
The new framework includes a number of safeguards to protect the privacy of EU citizens, including:
- A requirement for US companies to have strong data protection practices in place.
- A mechanism for individuals to access or correct their personal data and to object to its processing.
- A new redress mechanism for individuals who believe their rights have been violated.
The adoption of the adequacy decision is a significant step forward in the long-awaited effort to ensure that data can continue to flow between the EU and the US while also protecting the privacy of individuals.
The adequacy decision is not without its critics, however. Some argue that the safeguards in the framework are not strong enough, and that the US government’s access to personal data remains too broad.
Assurance for EU companies
Overall, the adoption of the adequacy decision is a positive development for European companies that were using a variety of US tools.
A major concern for European companies after the invalidation of the EU-US Privacy Shield was that they could no longer be sure that their data would be protected if it was transferred to the US. The new framework provides greater assurances that data will be protected from US government services and as a result, European companies can now feel more confident about using US tools. The data processing US companies however should be certified under the DPF.
Can EU companies now use tools like Google Analytics “legally”?
The US-EU Data Privacy Framework entered into force on July 10, 2023, the same day it was adopted by the European Commission. This means that European companies can now legally use US tools, as long as the companies that provide these tools comply with the framework’s requirements. Companies such as Google or Meta have been certified previously and are expected to certify again to the new framework soon.
Here are some additional resources that you may find helpful:
- European Commission: Adequacy decision for safe EU-US data flows: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721
- IAPP: US finalizes EU-US Data Privacy Framework requirements, awaits EU adequacy decision: https://iapp.org/news/a/us-finalizes-eu-us-data-privacy-framework-requirements-awaits-eu-adequacy-decision/