EU-US Data Privacy Framework: “Data traffic between the EU and the US is possible again” or “Will the third time be the charm?”

On 10 July 2023, the European Commission adopted its adequacy decision, putting the EU-US Data Privacy Framework directly into effect. This successor to the EU-US Privacy Shield and the Safe Harbour Agreement is once again intended to enable “simple” data transfers between the EU and the USA. Essentially, it implements guarantees and criteria to comply with the ECJ
Schrems II ruling. For example, U.S. laws had to be adjusted to ensure that U.S. intelligence agencies have only limited access to EU citizens’ information. Furthermore, the adjustments give EU citizens recourse to an independent and impartial redress mechanism concerning the collection and use of their data by U.S. intelligence agencies and U.S. companies.

The European Commission confirms that the U.S. (specifically, certified U.S. companies) adequately protects personal data. This is welcome news for European businesses, which can once again transfer personal data to participating U.S. companies without other safeguards (such as standard contractual clauses). It should be noted that U.S. companies must certify their compliance with data protection standards, which will be processed and monitored by the U.S. Department of Commerce. Certified companies will be entered in the Data Privacy Framework List, which can be viewed publicly.

The EU-US Data Privacy Framework is being welcomed by many, but not all.
Max Schrems immediately stated that he and the association NOYB will challenge the adequacy decision. Will the EU-US Data Privacy Framework stand the test of time, or will it be struck down by the courts, like Privacy Shield and Safe Harbour before it? Perhaps the third time will be the charm…