On 10 July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”), reaching a conclusion that the DPF ensures protection of transferred personal data in the USA that is “essentially equivalent” to the protection offered in the EU (the “EU-US adequacy decision”). On this basis, now personal data can be transferred safely from any EEA companies and organizations to the companies and organizations in the USA that certify pursuant to the DPF.

The DPF certification for a US company or organization can easily be checked at https://www.dataprivacyframework.gov/s/ including the Data Privacy Framework List opened, maintained and publicly administered by the U.S. Department of Commerce. If a US company is included in the list, it means that its self-certification pursuant to the DPF has been completed and it may be a reliable importer of personal data for a data controller from Bulgaria or another EU country.

The EU-US adequacy decision was adopted with immediate effect, i.e., it has been in effect as of 10^th of July 2023. Accordingly, as soon as a US company certifies under DPF, the adequacy decision can be safely relied on as a transfer tool without the need to obtain any further authorization or conducting any transfer impact assessments or implementing any additional security measures.

Effective appropriate safeguards pursuant to Art. 46 of the GDPR also stay available and continue to apply. With respect to transfers of personal data to the USA using SCCs or BCRs as legal basis, companies and other organizations must continue conducting a transfer impact assessment along with using SCCs, as required by the Schrems II decision of the CJEU. However, the EU-US adequacy decision can be referenced and incorporated positively in the sections of the assessment relating to the US public authorities’ ability to access and use transferred personal data. Based on the positive EU-US adequacy decision, data exporters from the EU can safely conclude that US law meets EU requirements in this regard.

As a background, participation in the DPF commences following a successful self-certification process, like it used to be pursuant to the former Privacy-Shield Program. Please note that companies that have continued their participation in Privacy Shield must update references in their privacy policies to the “EU-US Data Privacy Framework Principles” within three months according to the DPF Principles. The process of self-certification and re-certification annually will remain substantively the same as it used to be under the Privacy Shield Program.

The EU-US adequacy decision removes an enormous burden associated with EU-US data transfers and is important and great news for all professionals engaged with personal data processing and protection. However, all other principal requirements of the GDPR, such as data minimization, purpose limitation, storage limitation, lawfulness, and transparency, relating to personal data processing stay and continue to apply as any transfer of personal data from a data controller in Bulgaria or another EU country to a data controller or processor in the USA is a form of personal data processing.

The authors are DGKV's Counsel and Head of Data Protection Practice Ralitsa Gougleva and Associate Anita Dangova.

You can read the Adequacy decision EU-U.S. Data Privacy Framework here: