European Commission Adopts Adequacy Decision for EU-U.S. Data Privacy Framework

The European Commission has formally adopted an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). U.S. and EU authorities developed the Framework to replace Privacy Shield, a data transfer framework which was deemed non-compliant with the GDPR in the Schrems II case. While the Framework clearly made efforts to address both meaningful redress for EU data subjects and limiting U.S. data surveillance activities to what is necessary and proportional (the key issues in Schrems II), it remains to be seen whether the changes are enough to stand up to challenges.

And there will be challenges. EPIC has previously commented on the Framework, including areas of concern that may not be strong enough to address the problems raised in previous data transfer iterations. The European Data Protection Board’s opinion recommended that the Framework only be adopted if significant changes on redress, exemptions, data subject rights, and more are made. In addition, the European Parliament identified several areas of concern and proposals for change in its resolution on the Framework, urging that the Framework be rejected if these issues are not addressed. And NOYB has already pledged to challenge the Framework as inadequate under the GDPR.

Time will tell whether the Framework is here to stay.