EU-U.S. Data Privacy Framework Advances to the Next Stage

EU-U.S. Data Privacy Framework Advances to the Next Stage

For companies that conduct business in both the European Union and the United States, data transfers between the EU and the U.S. has long been a challenging process, primarily in light of the EU’s strict privacy regulation, the General Data Protection Regulation (GDPR). In order to facilitate data transfers between the EU and other countries, the EU has entered “adequacy determinations” as to some countries – meaning that the EU determined that those countries’ privacy protections were sufficient in order to protect the privacy of those EU citizens whose data might be transferred. Although the EU previously adopted an adequacy determination regarding the U.S., referred to as the Privacy Shield, it was struck down twice after it was challenged by Max Schrems, Honorary Chairman of NOYB (which stands for “None of Your Business”), a European digital rights non-profit. 

Now, the EU and the U.S., both motivated by powerful business and political interests, are on the brink of finalizing a new data privacy framework. On December 13, 2022, the European Commission published its draft adequacy decision, recognizing the essential equivalence of U.S. data protection standards. This draft decision will now be examined, poked and prodded, and subject to nonbinding opinions from various European bodies such as the European Data Protection Board, the Council of the European Union, and European Parliament.

If the new adequacy decision passes this scrutiny, which EU officials hope it will by the summer of 2023, that will not be the end of the saga: Schrems has vowed to raise a third challenge over a range of concerns, stating that he “can’t see how this [adequacy decision] would survive a challenge.”

Many U.S. businesses who are eager for a free flow of data from the EU are awaiting the resolution of this sticky situation. Unfortunately, it may still be a long time before there is clear guidance as to what the data sharing process may look like. In the meanwhile, U.S. companies can use alternative means for data transfers, such as binding corporate rules (BCRs) and standard contractual clauses (SCCs).

  • Ella A. Shenhav

    Ella A. Shenhav is a partner in the Tampa office of Shutts & Bowen LLP, where she is a member of the Business Litigation Practice Group. She is a Certified Information Privacy Professional (CIPP/US), accredited by the International ...

Search Blog

Follow Us

Recent Posts

Popular Categories



Jump to Page

Shutts & Bowen, established in 1910, is a full-service business law firm with approximately 270 lawyers located in eight offices across Florida.

By using this site, you agree to our updated Privacy Policy and our Terms of Use.