Member Content

Client alert: EU-US Data Privacy Framework

On December 13, 2022, the European Commission published its draft adequacy decision for the new EU-US Data Privacy Framework (“EU-US DPF”). The draft decision concludes that the United States ensure an adequate level of protection for personal data transferred from the EU to US companies which participate in the EU-US DPF by committing to comply with a detailed set of obligations.

This new (draft) adequacy decision is supposed to replace the Privacy Shield, which had been invalidated by Schrems II. This draft decision follows the signature of a US Executive Order by President Biden on 7 October 2022.

Key elements of EU-US DPF

US companies that want to participate in the EU-US DPF need to publicly declare their commitment to comply with a detailed set of data protection principles. Such principles were developed by the US Department of Commerce (“US Department”) in consultation with the European Commission. They include, amongst others, notice requirements, the obligation to protect personal data and to delete such data when it is no longer necessary for the purpose for which it was collected. The US Department will maintain and make available to the public an authoritative list of US companies that have self-certified to the US Department and declared their commitment to adhere to these principles.

EU citizens are supposed to benefit from several redress avenues, if their personal data is handled in violation of the EU-US DPF, such as an independent dispute resolution mechanisms and an arbitration panel.

Furthermore, the EU Commission highlights that the US legal framework provides for a number of limitations and safeguards regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order, in particular the following:

Access to European data by US intelligence agencies is supposed to be limited to what is necessary and proportionate to protect national security;
EU individuals are supposed to have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. The Court is supposed to independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
If the draft adequacy decision is adopted, European companies will be able to rely on the EU-US DPD for personal data transfers from the EU to the US. Currently, personal data transfers to the US are only legitimate on basis of the (new) EU Commission’s standard contractual clauses or any binding corporate rules – in conjunction with a data transfer impact assessment (“DTIA”).


Check the full Framework here.

Share this Article
Related Insights
Holland Fintech Digital Transformation Paper 2024
Holland Fintech is proud to present the Digital Transformation Paper 2024. This whitepaper, led by the Holland Fintech working group Digital Transformation in collaboration with Accenture, provides valuable insights into the dynamics and key factors influencing successful collaborations between fintechs and incumbents.
Holland Fintech Pavilion at Money 20/20
Money 20/20 – Join our Pavilion! The Holland Fintech Pavilion offers a unique opportunity to connect with a global audience of fintech professionals. Located at the heart of Money 20/20, the pavilion provides a central hub for networking, collaboration, and exposure.
Amsterdam Fintech Week
Amsterdam FinTech Week is back on 2-4 October 2024! Be a sponsor, co-organizer, or just participate in our community events.