Skip to main content

Adequacy decision on the EU-US Data Privacy Framework

25 July 2023

Regulatory News Alert

On 10 July 2023, the European Commission adopted the adequacy decision on the EU-US Data Privacy Framework. Adequacy decision is a tool allowing the transfer of personal data from the EU to these third countries whose level of personal data protection is comparable to the EU.

Adopting the adequacy decision is a result of the United States government’s implementation of the Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities.”1 This Executive Order established a set of new safeguards coming from the Schrems II decision,2 for instance obliging US Intelligence agencies to comply with the necessity and proportionality principle in terms of data access. As of this writing, the US joins Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the UK, and Uruguay in providing adequate protection.

EU-US Data Privacy Framework


As of 10 July 2023, the European organizations can transfer personal data to US entities that participate in the EU-US Data Privacy Framework without any additional preventive measures. The data subjects whose data is transferred from the EU to the US are eligible to a new set of rights that were not available before, such as the right to access, correction or erasure of data. Moreover, the EU individuals can benefit from complementary dispute resolution mechanisms and arbitration panel. The Framework introduces new rules about data security and data sharing with third parties and implements purpose limitation, data minimization and data retention principles. Key points of the framework nclude:

  • Limited access to data by US intelligence agencies:
    • Access to personal data of EU individuals is allowable only when necessary and proportionate to protect national security (e.g., in case of terrorist organizations posing potential threat to national security).
    • Activities of US intelligence authorities are subject to enhanced oversight on surveillance activities.
    • Establishment of a Data Protection Review Court where data subjects can direct complaints regarding access to their data by US intelligence agencies.
  • New redress mechanism in national security:
    • Individuals may file a complaint to their national data protection authority without proof that their data was accessed by US intelligence agencies. The European Data Protection Board will forward complaints to the US.
    • Complaints are then assessed by the Civil Liberties Protection Officer (CLPO) – an institution that ensures US intelligence agencies are compliant with fundamental rights.
    • The CLPO’s decision can be appealed by the complainant/plaintiff to the Data Protection Review Court (DPRC). The DPRC consists of independent members from outside US government. The DPRC can investigate into the complaints, obtain information from US intelligence agencies, and make binding decisions (for instance, an order to delete data). The DPRC can assign a special advocate to each complainant/plaintiff to ensure their interests are properly represented.

Why is this important for me?


The EU-US Data Privacy Framework applies to data transfers between EU and US companies certified by the US Department of Commerce. US companies will be able to “self-certify” and join the EU-US Framework by committing to comply with a detailed set of privacy obligations.

What is next?


Every year, the decision will be reviewed by the European Commission according to the newest developments in the US law. The first review will be performed in July 2024 to verify whether all the safeguards are effectively implemented, according to the Framework. Based on the results of the first review, the European Commission will consult with EU Member States for future reviews that will happen at least every four years.

How Deloitte can help


Deloitte’s specialists and dedicated services can help you clarify the opportunity and impact of the EU-US Data Privacy Framework. Our Regulatory Watch team closely follows developments to help you stay ahead of the regulatory curve.


1Executive Order 14086 – Policy and Procedures | Other release | Bureau of Intelligence and Research, July 3rd 2023, <> [accessed: 19.07.2023]
2CJEU C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, July 16th 2020, <;jsessionid=FC6484B559D967F68D6BF745B87C5F5A?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2663287> [accessed: 19.07.2023]

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey