In July, the European Commission took the final steps to formally adopt formally establish the new EU-U.S. Data Privacy Framework (the Framework). After years of intense negotiation between the EU and the U.S., restoration of the Framework reduces the uncertainty about lawful data transfer that came with invalidation of the U.S-EU Privacy Shield by the Court of Justice of the European Union (CJEU) in the Schrems II case.

According to the European Commission’s press release, the Commission determined that under the Framework the United States ensures an adequate level of protection for personal data transferred from the EU to the U.S.  As a result, the Framework provides EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transatlantic data transfers.

The Framework makes it possible for U.S. companies to self-certify that they meet the Framework’s requirements and commit to its privacy obligations. By doing so, companies are able to receive EU personal data without implementing additional transfer safeguards.

The Framework provides European citizens with recourse to improved redress mechanisms if their personal data is handled in a manner that violates the principles of theEU-U.S. Data Privacy Framework.  

Companies currently self-certified under the EU-U.S. Privacy Shield Framework will have access to a simplified procedure for self-certification under the EU-U.S. Data Privacy Framework.

While concerns persist that the Framework may face legal challenges as did its predecessor, the EU-U.S. Privacy Shield, about possible legal challenges to the Framework.  EU Justice Commissioner Reynders commented that the Commission is committed to defending it in any judicial proceedings.

The EU-U.S. Data Privacy Framework will be subject to periodic reviews by the European Commission and representatives of European data protection authorities and competent U.S. authorities.

Read the Adequacy Decision the Factsheet and the Questions and Answers.

‍