The European Commission adopted on 10 July 2023 an adequacy decision for the EU-US Data Privacy Framework (DPF), which replaces the Privacy Shield Framework invalidated by the Court of Justice of the European Union with the so called “Schrems II” decision[1]. As of this date, transfers from the EU to entities and organizations located in the US that are included in the ‘Data Privacy Framework List’ (“DPF list”) may be based on the Adequacy Decision according to article 45 of the GDPR and carried out freely, without the need to rely on Article 46 GDPR transfer tools (as described in our dedicated section) or to apply supplementary measures to frame the transfers to the US.
The EU-US Data Privacy Framework introduces a system of auto-certification, which require the US entities to comply with the obligations and principles of data protection listed in this framework, such as purpose limitation and data minimisation and the respect of certain data subject rights.
This mechanism as well as the application of the legal framework of the United States of America is continuously monitored by the European Commission and the Member States of the European Union. Where the European Commission has indications that an adequate level of protection is no longer ensured, it can decide to suspend, amend or repeal the adequacy decision, or limit its scope.
For Luxembourg-based companies: under which conditions can data be transferred to the US?
Companies, associations or other organizations established in Luxembourg (or in another country in the EEA) transferring data to the US should consult the DPF website, maintained and made publicly available by the U.S. Department of Commerce (“DoC”) to check whether companies to which personal data will be transferred are self-certified and comply with the framework requirements. The list of certified entities is available on the website of the US Departement of Commerce https://www.dataprivacyframework.gov/list.
It is important to note that transfers of personal data to entities in the US that are not included in the DPF list may not rely on the adequacy decision and must be carried out on the basis of one of the transfer tools under article 46(2) of the GDPR (see section "Personal data transfers to countries outside the European Economic Area without an adequate level of protection").
If the US entity receiving personal data in the US acts as a processor on behalf of the Luxembourg entity acting as controller (for example a cloud service provider), a data processing agreement under Article 28 GDPR will be required, regardless of participation of the US-company (processor) in the EU-U.S. DPF. More information on this requirement can be consulted in the section “Contract Requirements for Data Transfers to a Processor” in the FAQs – EU–U.S. Data Privacy Framework (EU–U.S. DPF) published in the US DPF official website.[2]
For Luxembourg-based data subjects: how can data subjects exercise their rights toward a certified US company or lodge a complaint against it?
You may find more information on data subjects rights and on how to exercise them in the context of the DPF on our dedicated page.
[1] Court of Justice of the European Union, 16 July 2020, Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, case C-311/18.
[2] https://www.dataprivacyframework.gov/program-articles/Contract-Requirements-for-Data-Transfers-to-a-Processor