“`html
EU and US Reach Agreement on Data Privacy Framework
Table of Contents
On November 26,2025,the European Union and the United States announced a new agreement to facilitate transatlantic data flows,known as the Data Privacy Framework. This agreement aims to address concerns raised by the Court of Justice of the European Union (CJEU) regarding data transfers under previous frameworks, such as Privacy Shield, which were invalidated due to concerns about US surveillance practices.
Background: Previous Frameworks and the schrems Cases
For years, the transfer of personal data between the EU and the US has been governed by various agreements. The Safe Harbor Framework (2000) was the first attempt, followed by the privacy Shield (2016). However, both were struck down by the CJEU in cases brought by Austrian privacy activist Max Schrems. The core issue was that US law did not provide EU citizens with equivalent data protection rights as those guaranteed under the General Data Protection Regulation (GDPR).
Specifically, the CJEU ruled that US surveillance laws allowed for broad access to personal data by US intelligence agencies, without sufficient safeguards for EU citizens. The IAPP provides a detailed summary of the schrems II decision.
Key Features of the Data Privacy Framework
The Data Privacy Framework introduces several key changes designed to address the CJEU’s concerns:
- Enhanced US Surveillance Safeguards: The US has implemented new safeguards to ensure that signals intelligence activities are conducted in a manner consistent with EU law. This includes establishing a multi-layer redress mechanism for individuals whose data is accessed by US intelligence agencies.
- Autonomous redress Mechanism: EU citizens will have access to an independent redress mechanism to challenge data access requests by US intelligence agencies.
- Data Protection Review Court (DPRC): A newly established Data Protection Review Court will provide independent oversight and review of US intelligence activities. The US Department of justice details the DPRC here.
- Stronger Enforcement: The US Federal trade commission (FTC) will continue to enforce compliance with the framework’s principles.
What This Means for Businesses
The Data Privacy Framework provides a pathway for US companies to legally receive personal data from the EU. Companies wishing to participate must self-certify to the US Department of Commerce, committing to adhere to the framework’s principles. This includes implementing appropriate data protection measures and providing individuals with data about their rights.
Self-Certification process
The self-certification process involves:
- Publishing a privacy policy that aligns with the Data Privacy Framework principles.
- Designating a contact within the organization responsible for data privacy.
- Committing to respond to complaints and cooperate with enforcement authorities.
Potential Challenges and Future Outlook
While the Data Privacy Framework represents a significant step forward, it is likely to face legal challenges. Schrems has already indicated his intention to review the framework and potentially challenge it in court if he believes it does not adequately protect EU citizens’ data privacy rights. NOYB (European Center for Digital Rights), founded by Max Schrems, will likely be at the forefront of any legal challenges.
Despite these potential challenges, the Data Privacy Framework provides a more stable legal basis for transatlantic data flows than previous arrangements. Its success will depend on the continued commitment of both the EU and the US to uphold the principles of data privacy and provide effective redress mechanisms for individuals.
Key Takeaways
- the Data Privacy framework replaces the invalidated Privacy Shield.
- It introduces enhanced US surveillance safeguards and an independent redress mechanism.
- US companies must self-certify to participate in the framework.
- Legal challenges are possible,but the framework offers a more stable legal basis for data transfers.
Published: 20