DATA PRIVACY FRAMEWORK (DPF)New adequacy decision for secure data tranfer between the EU und the USA

The European Commission adopted an adequacy decision for the EU-U.S. data protection framework on 10/07/2023 in the third attempt. This means that EU companies can now transfer personal data to data importers in the U.S. who certify compliance with the DPF principles, without the need for further approvals or additional measures (e.g., SCC and BCR).


If the Commission decides that a third country (territory or sector) has an adequate level of protection, then the third country transfer is readily permitted.

For the U.S., the Commission issued two adequacy decisions prior to the entry into force of the GDPR: the Safe Harbor decision of June 26, 2000, which was invalidated by the ECJ on October 6, 2015 (Schrems I), and the Privacy Shield of 12.06.2016, which was also declared invalid by the ECJ on 16.07.2020 (Schrems II).

In both cases, the ECJ found that surveillance by U.S. authorities of EU citizens whose personal data had been transferred to the U.S. was not compatible with EU law. Another problem, he said, is the lack of effective law enforcement mechanisms for EU citizens in the United States.

Since July 2020, companies have had to transfer data to the U.S. subject to appropriate safeguards.

The Data Privacy Framework (DPF)

On May 23, 2022, the European Commission and the United States announced that they had agreed in principle on a new Transatlantic Privacy Framework and had also ensured that the concerns expressed by the ECJ in Schrems II would be addressed.

Yesterday, the adequacy decision finally went into effect.

Effects for companies

Your personal contact

Matthias SchulzSenior Sales Manager

You might also be interested in these articles

Attack through mobile storage media
Learn more
Interview in Deutscher AnwaltSpiegel: "What does the Supply Chain Duty of Care Act mean for SMEs?"
Learn more