Hot off the press: The EU-US Data Privacy Framework

Cross-border data transfers from the EU to the US have become a hot topic for almost every European business in the ever-evolving digital landscape.

The good news is finally here: On July 10th, the European Commission finally adopted its long-awaited adequacy decision, concluding that the US provides an adequate level of protection for personal data transferred from the EU to US companies participating in the EU-US Privacy Framework. 

It was only recently that the US government cleared the way by implementing some final legislative measures. The timing is somewhat surprising, as a senior EU official had only hinted that the EU-US data protection framework could be finalised by the end of July. Let's take a look at what this means.

Brief background

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the previous legal basis for EU-US cross-border transfers under the EU-US Privacy Shield. This decision is called the "Schrems-II" decision - and yes, the "II" in "Schrems-II" implies that this has already happened before. 

Because of "Schrems-II", any transfer of personal data from the EU to the US companies under the GDPR based on the Privacy Shield was effectively made illegal overnight. The CJEU's reasoning was primarily based on certain US national security intelligence activities.

In the meantime - the final steps

What happened in the meantime? The negotiations took a long time. Since Schrems-II, the EU and the US had been working together to establish a new basis for transatlantic data flows as a successor to the former Privacy Shield. The aim? To ensure that data transfers across the Atlantic meet the strict data protection standards set out in the GDPR. That way, businesses won't have to jump through potentially complex and expensive legal hoops to legally transfer data between the EU and the US.

Until now, companies were navigating a complex landscape. Mainly, relying on Standard Contractual Clauses (SCCs). But there are challenges and uncertainties associated with this mechanism, such as conducting impact assessments of data transfers.

Now, the US government finally implemented the final legislative and judicial procedures that will allow EU citizens to lodge complaints with US authorities and, if necessary, with the US Data Protection Review Court.

Transatlantic data flows - happily ever after?

Smooth data flows between the EU and the US are a critical component for any business that uses and provides digital services of any kind. It is therefore very good news that companies will now be able to transfer data to the US without having to overcome the previous legal obstacles and concerns. For a few years at least, businesses will be assured of 'data protection peace' - but one thing is certain: The CJEU will, in due course, return to the US level of data protection.

Stay tuned for further updates and practical tips.