European Commission Adopts Adequacy Decision for EU-US Data Transfers


3 mins

Posted on 21 Jul 2023

European Commission Adopts Adequacy Decision for EU-US Data Transfers

On 10 July 2023, the European Commission (“EC”) adopted its adequacy decision for the EU-US Data Privacy Framework (the “Framework”). As a result, personal data can be transferred freely from the EU to organisations in the US who participate in the Framework.

International Data Transfers

The GDPR (General Data Protection Regulation) prohibits personal data transfers to countries outside of the EU unless certain conditions are met. In principle, transfers may take place in any of the following circumstances:

  • To a country with an EC adequacy decision (GDPR Article 45)
  • With appropriate safeguards in place, such as Standard Contractual Clauses (SCCs) with supplementary measures (for UK companies, the International Data Transfer Agreement can be adopted) or Binding Corporate Rules, if data subjects have enforceable rights and effective legal remedies (GDPR Articles 46 and 47)
  • Where a derogation for a specific situation applies, for example the data subject has given their explicit consent (GDPR Article 49).

In July 2020, the European Court of Justice ruled the EU-US Privacy Shield was not a valid mechanism to transfer personal data from the EU to US (Schrems II) as it did not provide adequate safeguards for the data. Since then, businesses have needed to implement alternative safeguards to transfer data to the US.

What is the Data Privacy Framework?

The Framework addresses the issues arising from the Schrems II decision. It outlines commitments to privacy obligations US businesses must agree to when receiving EU individuals’ personal data. US businesses signed up to the Framework do not need to put in place additional transfer safeguards.

The Framework addresses the key concerns from Schrems II, to ensure data can only be accessed by US intelligence agencies to the extent that it is necessary and proportionate for them to do so. It also establishes an independent and impartial redress mechanism to handle and resolve complaints from European data subjects concerning their data being collected for national security purposes.

What does the Data Privacy Framework mean for the UK?

The Framework applies to data transfers from the EU, meaning the UK does not benefit from it. However, the UK and US committed, in June 2023, to establish the UK extension to the Framework, that will create a ‘data bridge’ between the two countries. This is a commitment in principle, so businesses should monitor progress towards a formal agreement.

If you have any questions on transferring personal data internationally, please contact our Data Privacy team.

Piers Leigh-Pollitt

Piers advises a mixture of corporates and individuals on a wide range of HR/employment law matters and data protection issues (mainly from an HR perspective). Piers is also the firm’s internal compliance officer and handles all regulatory and internal compliance matters. He also heads up the firm's Data Privacy team and holds the Practitioner Certificate in Data Protection (GDPR).

  • Partner & Compliance Officer for Legal Practice
  • T: +44 (0)118 951 6761
  • Email me

View profile

Mike Hibberd

Mike is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues.

  • Legal Director
  • T: +44 (0)118 951 6765
  • Email me

View profile

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top