EU-U.S. Data Privacy Framework: Is Adequate Good Enough?

The European Union has approved a new agreement regarding the privacy of individuals’ personal information transmitted across the Atlantic, in an effort to address European concerns about surveillance by American intelligence agencies.

According to the European Commission, the EU-U.S. Data Privacy Framework provides a sufficient level of protection for the personal data of EU citizens. This means it meets the stringent data protection standards set by the EU’s landmark privacy law, the GDPR.  This so-called adequacy decision will allow companies to transfer information from Europe to the United States without requiring additional security measures.

This agreement aims to resolve the longstanding dispute between Washington and Brussels over the safety of EU citizens’ data stored by tech companies in the U.S., following the striking down of the 2020  data agreement, Privacy Shield.

During a press briefing in Brussels, EU Justice Commissioner Didier Reynders stated that “personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations.”

The discrepancies between the EU’s strict data privacy regulations and the comparatively lax U.S. regime, which lacks a federal privacy law, have been a source of conflict between Washington and Brussels. This has created uncertainty for tech giants like Google and Meta (formerly Facebook), as there was a possibility that European data used for targeted advertising might need to be kept outside of the United States.

The transfer of data is a lucrative proposition, with experts estimating that the transatlantic data transfers amount to trillions of dollars in global economic activity.

However, the European privacy campaigner Max Schrems, who initiated legal challenges against this practice, dismissed the new agreement. Schrems argued that it fails to address fundamental issues and pledged to challenge it in the EU’s highest court. His Vienna-based organization, NOYB, is preparing a legal challenge, and they anticipate the case will reach the European Court of Justice by the end of the year.

Schrems contended that it is essentially a replica of the previous Privacy Shield agreement. He asserted that changes at the legislative level to U.S. surveillance laws are what it will take for the personal data of EU citizens to be safe. 

And for the big question: Is adequate really good enough under the GDPR?

Skip to content