First review of EU-US Data Privacy Framework concludes that US authorities have put in place the constitutive elements of the framework
The Commission has published a report today following the first review of the adequacy decision for the EU-US Data Privacy Framework (DPF) for personal data transferred from the European Union to organisations in the US.
Based on the information gathered during the review, the Commission concludes that the US authorities have put in place all the constitutive elements of the framework. This includes the implementation of safeguards to limit access to personal data by US intelligence authorities to what is necessary and proportionate to protect national security, and the establishment of an independent and impartial redress mechanism. The report also contains a number of recommendations to ensure that the Framework continues to function effectively, such as developing common guidance between US authorities and EU data protection authorities on key DPF requirements. The Commission will continue to monitor developments and will report periodically on its functioning.
The review is based on input from a wide range of actors including civil society organisations, trade associations, EU data protection authorities, US authorities involved in implementing the framework, as well as feedback from the general public via the ‘Have your Say’ portal. The report builds also on information gathered during the review meeting in July 2024 between Commissioner for Justice Didier Reynders, US Secretary of Commerce Gina Raimondo, and their experts. The EU delegation to the review meeting included representatives of the European Commission and the European Data Protection Board.
