Until July 2020, personal data could be transferred to the US on the basis of the Privacy Shield Agreement. However, with its “Schrems II” decision (judgment of July 16, 2020 – Case C 311/18), the ECJ then declared the Privacy Shield Agreement invalid, meaning that other legal bases now had to be found for data transfers to the US that had previously been based on the Privacy Shield.
As a result of the “Schrems II” decision, a new data protection agreement was negotiated between the EU and the US. To address the concerns that the ECJ had about the previous agreement, new data protection mechanisms were introduced, including a Data Protection Review Court in the US and limited access rights for law enforcement and security authorities. The agreement was implemented by an executive order signed by US President Biden in October 2022.
On July 10, 2023, the EU Commission determined that, in its view, US companies that are (self-)certified under the new EU-US Data Privacy Framework (EU-US DPF) provide an adequate level of data protection with regard to the transfer of personal data.
The GDD has compiled a list of frequently asked questions based on questions submitted by its members regarding the EU Commission's adequacy decision.