In accordance with Article 45(3) of the General Data Protection Regulation[1] (“GDPR”), on July 10, 2023 the European Commission adopted the decision on a suitable level of protection for personal data provided under the EU-US Data Privacy Framework (“DPF”). This decision comes in response to the need to create a GDPR-compliant legal framework to enable easy transfer of personal data from the EU to the US after the invalidation of the (EU-US) Privacy Shield, the previous European Commission Implementing Decision on a suitable level of protection.

The DPF is a self-certification system administered and overseen by US government bodies in which individual American companies commit to uphold DPF standards, consisting especially of the obligation to handle data transferred from the EU (or EEA) in accordance with the GDPR.

This EC decision on the PDF allows personal data to be transferred from the EU (or EEA) to American companies with valid DPF certification under the same conditions as it is transferred within the EU, i.e. without taking additional measures.

For the sake of completeness we should mention that European Union decisions on a suitable level of protection for personal data are not the only possible means of transferring personal data outside the EU in compliance with GDPR. Data controllers or processors can also transfer data outside the EU if they provide suitable guarantees[2] pursuant to Article 46 of the GDPR, which can be done on a contractual basis using the standard personal data protection clauses accepted by the European Commission (“standard clauses”). Please keep in mind, however, that even standard clauses cannot solve everything, since for example they are not binding for public authorities that are not party to the contracts. It is important to determine in each case whether the laws of the country to which the data is being transferred provide a suitable level of protection, and if they do not, to take the additional measures necessary beyond the scope of the standard clauses. Failure to do this exposes controllers and processors to the risk of penalties, such as the record 1.2 billion euros imposed in May of this year on Meta Platforms Ireland Limited by the Irish Data Protection Commission.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[2] The data subjects’ enforceable rights and effective legal protection must also be in place.