Re introduction of EU-US Privacy Shield

How personal data transferred between the EU and US is protected

The judgment in the Schrems II case issued by the European Court of Justice on Thursday 16 July 2020 found that Privacy Shield framework no longer provides adequate safeguards for the transfer of personal data to the United States from the EEA.

On 10 July 2023 the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework. The adequacy decision followed the adoption of Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ by US President Biden on 7 October and a Regulation issued by the US Attorney General. These instruments introduced new binding safeguards to address the points raised by Court of Justice of the European Union in its Schrems II decision of July 2020, ensuring that data can be accessed by U.S. intelligence agencies only to the extent necessary and proportionate and establishing an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes. The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.