The adequacy decision on the EU-US Privacy Shield was adopted on 12 July 2016 and allowed the free transfer of data to companies certified in the US under the Privacy Shield. In its judgment of 16 July 2020 (Case C-311/18), the Court of Justice of the European Union invalidated the adequacy decision. The EU-US Privacy Shield is therefore no longer a valid mechanism to transfer personal data from the European Union to the United States.   

On 12 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision. The adoption process involves obtaining an opinion from the European Data Protection Board and the green light from a committee composed of representatives of EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. 

The proposal for a draft adequacy decision follows the adoption of an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ by US President Biden on 7 October. Along with the Regulation issued by the Attorney General, the Executive Order implements into US law the agreement in principle on a new EU-U.S. Data Privacy Framework that was announced on 25 March by President von der Leyen and President Biden, following more than one year of negotiations. 

Press release 

MEMO

Adequacy decision for the EU-US Data Privacy Framework

The EU-US Data Protection Umbrella Agreement concluded in December 2016 introduced  high privacy safeguards for transatlantic law enforcement cooperation. It contains a comprehensive set of data protection rules that apply to all transatlantic exchanges between criminal law enforcement authorities. In this way, it also strengthens law enforcement cooperation by facilitating the exchange of information. It therefore meets the two-fold objective of working with our U.S. partners to combat serious crime and terrorism while advancing the level of protection of Europeans in line with their fundamental rights and the EU data protection rules.