EU–US Data Privacy Framework

The EU–US Data Privacy Framework is a European Union–United States data transfer framework that was agreed to in 2022 and declared adequate by the European Commission in 2023. Previous such regimes—the EU–US Privacy Shield (2016–2020) and the International Safe Harbor Privacy Principles (2000–2015)—were declared invalid by the European Court of Justice in part due to concerns that personal data leaving EU borders is subject to sweeping US government surveillance. The EU-US Data Privacy Framework is intended to address these concerns.

After the invalidation of the EU–US Privacy Shield in July 2020, companies wishing to transfer data between the EU and the US "have faced confusion, higher compliance costs, and challenges for EU–US business relationships".

The EU parliament raised substantial doubts that the new agreement reached by Ursula von der Leyen is actually conform with EU laws, as it still does not sufficiently protect EU citizens form US mass surveillance and severely fails to enforce basic human digital rights in the EU. In May 2023 a resolution on this matter passed the EU parliament with 306 votes in favor and only 27 against, but so far has stayed without consequences. The NGO NOYB (European Center for Digital Rights) has announced that it will once again try to set the Framework out of force in front of the European Court of Justice.

History
On March 25, 2022, it was announced that the European Commission and the United States had committed to a "Trans-Atlantic Data Privacy Framework" in reaction to the failure of the EU-US Privacy Shield.

In October 2022, U.S. President Joe Biden signed an executive order to implement the framework.

In May of 2023, the European Data Protection Board approved the Commission's adequacy decision draft that was published on December 13, 2022.

Although not binding on the European Commission, on 11 May 2023 the European Parliament voted in favour of a resolution calling on the Commission to renegotiate the Framework and not to adopt an adequacy finding on the basis that "the EU–U.S. Data Privacy Framework fails to create essential equivalence in the level of protection".

On July 10 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, thereby allowing transfer of personal data from the EU to the U.S. on the basis of Article 45 of the GDPR.

Data Protection Review Court
The Data Protection Review Court (DPRC) is a three-judge panel, established in Executive Order 14086 of 7 October 2022, which will deal with appeals made to the decisions of the Civil Liberties Protection Officer of the Office of the Director of National Intelligence as described by the EU-U.S. Privacy Framework. The decisions made by the DPRC have binding authority.

There has been criticism.