The EU–US Data Privacy Framework is a European Union–United States data transfer framework established under the General Data Protection Regulation (GDPR), agreed to in 2022, declared adequate by the European Commission in 2023, and extended to the European Economic Area (EEA) in 2024.

Previous such regimes—the EU–US Privacy Shield (2016–2020) and the International Safe Harbor Privacy Principles (2000–2015)—were declared invalid by the European Court of Justice in part due to concerns that personal data leaving EU borders is subject to sweeping US government surveillance. After the invalidation of the EU–US Privacy Shield in July 2020, companies wishing to transfer data between the EU and the US had "faced confusion, higher compliance costs, and challenges for EU–US business relationships". The EU-US Data Privacy Framework (DPF) is intended to address these concerns.

The European Parliament raised substantial doubts whether the new agreement reached by Ursula von der Leyen actually conforms with EU laws, as it still does not sufficiently protect EU citizens from US mass surveillance and fails to enforce basic human digital rights in the EU. Under the Trump administrations doubts have arisen as to the future of the Framework.

US Data Protection Review Court

The Data Protection Review Court (DPRC) is a three-adjudicator panel that deals with appeals made against decisions of the Civil Liberties Protection Officer of the Office of the Director of National Intelligence as described by the EU-US Privacy Framework. It is not an Article III court but an extrajudicial executive branch tribunal.

Members of the DPRC are appointed by the Privacy and Civil Liberties Oversight Board (PCLOB) to four-year terms.

The decisions made by the DPRC have binding effect for the adjudication. There has been criticism on its secrecy and possible effectiveness.

CH–US Data Privacy Framework

Similarly to the EEA, EFTA member Switzerland and the US also have a Swiss–US Data Privacy Framework under its Federal Act on Data Protection[de] (DSG) since September 2024.

History

On 25 March 2022, it was announced that the European Commission and the United States had committed to a "Trans-Atlantic Data Privacy Framework" in reaction to the failure of the EU-US Privacy Shield.

On 7 October 2022, US President Joe Biden signed Executive Order 14086 to implement the framework, including authorizing and directing the creation of the US Data Protection Review Court. United States Attorney General's order 5517-2022 of 7 October 2022 established the court.

In May 2023, the European Data Protection Board approved the Commission's adequacy decision draft that was published on December 13, 2022.

Although not binding on the European Commission, on 11 May 2023 the European Parliament voted in favour of a resolution calling on the Commission to renegotiate the Framework and not to adopt an adequacy finding on the basis that "the EU–US Data Privacy Framework fails to create essential equivalence in the level of protection".

The European Parliament raised substantial doubts whether the new agreement reached by Ursula von der Leyen actually conforms with EU laws, as it still does not sufficiently protect EU citizens from US mass surveillance and fails to enforce basic human digital rights in the EU. In May 2023, a resolution on this matter passed the European Parliament with 306 votes in favor and 27 against.

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, thereby allowing transfer of personal data from the EU to the US on the basis of Article 45 of the GDPR.

In July 2023, the NGO NOYB (European Center for Digital Rights) has announced that it will challenge the framework again before the European Court of Justice.

Effective 6 July 2024, the EEA Joint Committee incorporated the Commission Implementing Decision into the EEA Agreement, extending it to the European Economic Area (EEA).

On 14 August 2024, the Swiss Federal Council issued an adequacy decision for the Swiss–US Data Privacy Framework under its Federal Act on Data Protection[de] (DSG).

In January 2025, Trump fired Democrat members of the Data Protection Review Court, leaving the five-person board with only one Republican member, short of three required to make any decisions.

See also

External links