EU-US Data Privacy Framework – two months on: euphoria or honest skepticism?

Almost two months ago, on 10 July 2023, the European Commission issued the long-awaited adequacy decision pursuant to art. 45 GDPR for the EU-US Data Privacy Framework (TADPF). We had reported on this in detail.

With this, it was officially confirmed by the EU Commission that the United States provides for an adequate level of protection for personal data transferred from the EU to the US within the new EU-US Data Privacy Framework.

U.S. businesses can join the EU-US Data Privacy Framework by committing themselves to comply with certain data protection standards. To do this, businesses undergo a self-certification process, after which data transfers from European businesses can be based on the framework. Additional measures and guarantees are no longer required, which means that EU Standard Contractual Clauses and GDPR Transfer Impact Assessments would a thing of the past.

At first glance, this sounds promising – but the opinions of the German data protection supervisory authorities are divided. And Max Schrems from the NOYB privacy initiative has already raised concerns and announced that he will also challenge the agreement before the European Court of Justice.

So, time for honest skepticism after the initial euphoria?

At first, the success of the new framework seemed to depend in each case on how quickly and efficiently it would be possible to certify U.S. businesses. Many expected a considerable organisational effort. But then the list of participating businesses on the official website of the U.S. Department of Commercequickly grew longer.

The reason for this is that old certifications under the EU-US Privacy Shield Framework, which had actually been declared invalid by the European Court of Justice, are also recognised under the TADPF.

This shows how little has changed, at least on the part of the U.S. businesses involved. However, the U.S. government has made an effort, at least on the surface, to tighten the reins on its administration and, in particular, its security authorities. The future will show whether the EU-US Data Privacy Framework can withstand renewed scrutiny by the European Court of Justice. In any case, Max Schrems is already preparing for the next lawsuit, so there will be a “Schrems III” ruling.