The European Commission has adopted the adequacy decision for the data protection framework between the EU and the US. An adequacy decision is an instrument of the General Data Protection Regulation (GDPR) that allows personal data to be transferred from the EU to third countries that, according to the Commission’s assessment, offer a comparable level of protection for personal data as the European Union.

Uncertainty had prevailed for a long time after the Court of Justice of the European Union declared the previous adequacy decision on the EU-US Privacy Shield invalid in 2020 (see also our blog article: What to do after the toppling of the EU-US Privacy Shield?).

The present decision now introduces new binding safeguards to address all the concerns expressed by the European Court of Justice. It provides that access by US intelligence agencies to EU data will be limited to what is necessary and proportionate and that a Data Protection Review Court (DPRC) will be created to which individuals in the EU will have access.

In addition, the functioning of the data protection framework is to be reviewed regularly by the European Commission and representatives of the European data protection authorities and the competent US authorities. The first review will take place within one year of the entry into force of the adequacy decision to determine whether all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.

What does the adequacy decision mean for email service providers (ESPs) and their partners?

Until now, US-based ESPs and their EU counterparts have had to use the standard contractual clauses adopted in 2021 to transfer data to the US. The disadvantage of the previous procedure was that, in addition to the use of the standard contractual clauses, other unspecified safeguards had to be put in place to ensure security in the US (see our blog article: Legal frameworks for international data transfer: The EU/US-situation).

The new adequacy decision means that personal data can be transferred from the EU to the US without the need for further safeguards, as long as it is a suitably certified US company. This adopts the certification mechanism already used in the overturned Data Convention. The US Department of Commerce has published a list of US companies that have certified themselves to the Department and committed to comply with the principles of the EU-US data protection framework (for more information on the procedure, background and overview of the listed companies, see: https://www.dataprivacyframework.gov/s/participant-search).

However, data transfers to US companies that are not on the list of the EU-US data protection framework cannot be based on the adequacy decision in the future. Such transfers still require appropriate safeguards under Art. 46 GDPR (e.g. Standard Contractual Clauses or recourse to binding internal data protection rules under Art. 47 GDPR, so-called Binding Corporate Rules), possibly in combination with authorisation by a competent supervisory authority or the existence of an exceptional circumstance under Art. 49 GDPR in the individual case.

Therefore, ESPs based in the USA should urgently obtain certification from the Department of Commerce because only then is it possible to exchange data between the EU and the USA in a legally secure and unbureaucratic manner.