New EU-US adequacy decision: which are the changes by the Data Privacy Framework?

​published on 20 July 2023 | reading time approx. 3 minutes

The Data Privacy Framework ('DPF'), the US adequacy decision, was adopted on 10 July 2023 and is immediately applicable. 

This is an important milestone: in fact, before this moment, the data controller (or data processor) who carried out a transfer of personal data from UE to USA would first have had to verify the level of protection offered by the importing country and by the importer itself and, in the event of a positive outcome of this verification, would have been able to prepare the set of clauses to be annexed to the main contract (in the period before, the transfer of data was easily managed by filling in and annexing the SCCs, at a purely documentary level). 

In the last two years, the data controllers and processors have updated their procedures for the qualification and management of third parties, making specific provisions in the case of transfers to the USA and, more generally, to countries not covered by adequacy decisions. In other cases, they have made real risk assumptions. Today, however, the country is considered by the European Commission to have a level of data protection equivalent to the European Union. 

This has been made possible thanks to the regulatory work carried out by the Biden government to rebalance the provisions on the processing of and access to personal data in the United States in such a way as to guarantee a fully democratic system that is equivalent to the European one. 

Now, with the DPF, public powers are now tempered to finally offer a guarantee of confidentiality: in particular, the DPF provides EU individuals whose data will be transferred to companies in the US with several new rights (to obtain access to their data or the correction or deletion of incorrect or unlawfully processed data). 

In addition, DPF offers several avenues of redress in the event of data being mishandled, including independent and free dispute resolution mechanisms and an arbitration panel. In fact, the US government has set up a new two-tier redress mechanism with independent and binding authority, whereby the appeal is first lodged with the so-called 'civil liberties protection officer' of the US intelligence community, and then appealed to the decision of the civil liberties protection officer before the newly introduced Data Protection Review Court (DPRC). Another essential element of the US legal framework on which the adequacy decision is based is the Executive Order on 'Enhancing Safeguards for United States Signals Intelligence Activities'.

For European citizens, the Executive Order provides for: binding safeguards limiting access to data by US intelligence authorities to what is necessary and proportionate to protect national security; increased oversight of the activities of US intelligence services to ensure compliance with the limitations on surveillance activities; and the establishment of the independent and impartial redress mechanism mentioned above. 

The GDPR requires verification not only of the level of protection offered by the importing country, but also of the technical and organisational measures implemented by the importer itself (the company receiving the data transferred from Europe). 

If the company receiving the data is not certified, in any case, the safeguards put in place by the US government in the area of national security apply to all data transfers under the GDPR, and therefore the data may be transferred subject to the importer's assessment and adoption of additional safeguards. The way to verify the importer's compliance status will remain Data Transfer Impact Assessments: data controllers will be able to organise the checks at their discretion, opting for checklists or interviews with providers.