EU-US Data Privacy Framework: A New Adequacy Decision Ensuring Safe and Trusted Data Flows

In 2020 the US-EU Privacy Shield was invalidated raising the question of how US based companies can process the data of European citizens. This month the European Commission took a significant step in clarifying a new mechanism to ensure the safety and trustworthiness of data flows between the European Union and the United States. With the adoption of its adequacy decision for the EU-US Data Privacy Framework, the Commission confirms that the US provides an adequate level of data protection comparable to that of the EU. We discuss in this article what this means in practice for both European and US businesses.

The EU-U.S. Data Privacy Framework introduces robust and binding safeguards to address concerns raised by the European Court of Justice. These measures include limiting access to EU data by U.S. intelligence services to what is necessary and proportionate and establishing a Data Protection Review Court (DPRC) accessible to EU individuals. Compared to the previous Privacy Shield mechanism, the new framework brings significant improvements, such as the power for the DPRC to order the deletion of data collected in violation of safeguards.

What does it mean in practice?

With the passing of the EU-US Privacy Framework, companies can now commit to a detailed set of privacy obligations to ensure protection when transferring EU personal data to the US.

In practice the framework includes reminiscent protections as under the European standard of GDPR such as: 

  1. the requirement to delete personal data when it is no longer necessary for its original purpose
  2. ensuring continuity of protection when sharing data with third parties

The requirement for EU individuals to have access to various redress avenues in case their data is mishandled by U.S. companies, including independent dispute resolution mechanisms and an arbitration panel, providing recourse for affected individuals.

What should companies who previously relied on the EU-US Privacy Shield know? 

Since the invalidation of the EU-US Privacy Shield, companies have relied on alternate data transfer safeguards and standards such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs). These companies can continue using the SCCs or BCRs for now and consider transitioning to the EU-US Data Privacy Framework in the future for added benefits. The news is also positive for companies who previously relied on the Transatlantic Invalidation Agreement (TIA) and are currently transferring data, as the risk of transfer issues has significantly decreased. 

Regardless of your chosen data transfer method however, companies should remember to update your Privacy Policy accordingly. This ensures that your data processing practices align with the latest compliance requirements.
If you are considering transitioning to this new adequacy decision to ensure full compliance or need assistance with updating your Privacy Policy, our team is ready to assist you – let’s discuss it here!


Recommended posts


Learn more about legalities affecting startups and innovative businesses.
By submitting this form you agree to Sparring processing any personal data you may provide, including your email, name and content of the message, to reply to your request. Find more in our Privacy policy.

Contact us

Start sparring with us today by sharing more about your unique situation and vision, and discover how our expert team can provide the support and assistance you need.

By submitting this form you agree to Sparring processing any personal data you may provide, including your email, name and content of the message, to reply to your request. Find out more in our Privacy Policy.

Your form was sent successfully

We will get back to you with the answer as fast as possible. 🚀