The EU-US Data Privacy Framework (EU-US DPF), formerly Transatlantic Data Privacy Framework (TADPF), is an agreement between the European Union and the USA to align the differences in legal requirements for data protection in the two regions.
For the US side, President Biden signed an executive order on October 7, 2022, to implement certain commitments that were previously agreed upon in negotiations with the EU. This comprises
- Safeguards that, at least in theory, are meant to limit data access of the US security and intelligence agencies to what is necessary and propor-tionate, and
- the creation of a two-step complaints mechanism for EU citizens in the form of (1) the Data Protection Officer, whose decisions (2) can be challenged before the Data Protection Review Court.
On the EU-side, the EU Commission issued an adequacy decision, recognizing that the level of protection of personal data in the United States under the DPF is comparable to that in the European Union.
Personal data can therefore flow freely from the EU to the US as long as the receiving company in the US participates (self-certified) in the EU-US DPF. Further safeguards or alternative transfer tools, such as standard contractual clauses, are no longer required.
The question how permanent and reliable the EU-US Data Privacy Framework will be is still open. After all, the last two attempts of similar frameworks (Safe Harbor and Privacy Shield) both failed and were nullified by the ECJ in the Schrems I and II rulings. The ECJ has yet to review the EU-US DPF.
