On July 10, 2023, the European Commission adopted its long-awaited adequacy decision on the EU-U.S. Data Privacy Framework (the “Framework”) thereby concluding that the United States ensures an adequate level of protection for personal data that are transferred from the European Union to companies in the U.S. that participate in the Framework.

The Framework replaces the EU-U.S. Data Privacy Shield that was previously invalidated by the Court of Justice of the European Union (CJEU) in its Schrems II judgment on July 16, 2020. Privacy Shield replaced the previous EU-U.S. agreement known as Safe Harbor (from 2000), which was invalidated by the CJEU in its Schrems I judgment on October 6, 2015. Given this history, it seems likely the Framework will be challenged in the near future, and it remains to be seen whether the new data safeguards for European Economic Area (EEA) individuals under the Framework will be regarded sufficient by the CJEU.

The Framework serves as an additional data transfer tool under the EU General Data Protection Regulation (GDPR) and allows entities from the EEA to transfer personal data to U.S. companies that are included in the ‘Data Privacy Framework List’, maintained by the U.S. Department of Commerce.

Therefore, when transferring data to U.S. companies on the Data Privacy Framework List, EEA entities will no longer need to rely on standard contractual clause, binding corporate rules or other safeguards or derogations listed in Article 49 GDPR, but will now be able to use the Framework as an alternative data transfer mechanism. The same will be true for onward transfers of EEA personal data from one U.S- based company, that is subject to the GDPR under Article 3, to another U.S. company on the Data Privacy Framework List.

An essential element of the Framework concerns the Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ that was signed by President Biden in October 2022 to enhance and safeguard the rights of EEA individuals whose data are being transferred to the U.S. For this purpose, the Executive Order together with accompanying regulations adopted by the U.S. Attorney General limit access to EEA personal data by U.S. intelligence authorities and establish a new two-layer redress mechanism to handle and resolve complaints from EEA individuals.

Tags: Court of Justice of the European Union, EEA data, European Economic Area, European Union, privacy framework
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Carsten A. Kociok Carsten A. Kociok

Carsten Kociok is a partner in the Technology, Financial Services and Data Privacy Practice in Berlin and Co-Head of Greenberg Traurig’s global Fintech Group. He advises national and international clients across all industries, including financial services, information technology, artificial intelligence, ecommerce, media, health

Carsten Kociok is a partner in the Technology, Financial Services and Data Privacy Practice in Berlin and Co-Head of Greenberg Traurig’s global Fintech Group. He advises national and international clients across all industries, including financial services, information technology, artificial intelligence, ecommerce, media, health care, telecoms, retail and real estate, on a wide variety of complex commercial and regulatory matters.

Carsten is a leading technology lawyer, ranked consistently in Band 1 for Fintech Legal in Germany since 2020. He has in-depth and wide-ranging experience in the areas of privacy and cybersecurity, payments law, financial services, e-money products, blockchain technology, and financial and banking regulation, as well as in artificial intelligence regulation – including compliance with the EU AI Act – and the integration of AI technologies into existing software systems.

Carsten regularly assists clients in licensing projects and audit proceedings with financial regulators and advises on the contractual and regulatory aspects of developing, implementing and operating financial technology products and transactions.

On the data privacy side, Carsten counsels clients on complex data-driven business models and regulatory matters, including on international data transfers, data privacy compliance, monetization of data, artificial intelligence, litigation, cybersecurity and data breach response.

Carsten regularly lectures and publishes on various FinTech and data privacy topics. Prior to joining the firm, Carsten worked at Olswang Germany for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

Read more about Carsten A. KociokCarsten's Linkedin Profile
Show more Show less
Photo of Gretchen A. Ramos Gretchen A. Ramos

Gretchen A. Ramos is Global Co-Chair of the Data, Privacy & Cybersecurity Practice. Gretchen is a creative problem-solver that various large tech clients rely on to handle their most challenging data protection issues. Clients appreciate not only her legal skills, but also her

Gretchen A. Ramos is Global Co-Chair of the Data, Privacy & Cybersecurity Practice. Gretchen is a creative problem-solver that various large tech clients rely on to handle their most challenging data protection issues. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach in providing advice. She works closely with her clients to manage data and leverage its value in ways to meet compliance obligations, as well as deliver value to the business and instill consumer trust.

Read more about Gretchen A. RamosGretchen A.'s Linkedin Profile
Show more Show less
Related Posts
EU-Flag
CJEU: First Request for Access May Be Rejected as Abusive Under GDPR
March 25, 2026
GDPR AI
CJEU’s Russmedia Decision Expands Platform Controller Duties Under GDPR
February 9, 2026
EU-Flag
EU-U.S. Data Transfer Pact Upheld; Possible Appeal Awaits
September 4, 2025