Client Alert 01 Aug. 2023

EU-US Data Privacy Framework Wins EU Approval, Faces Unclear Road Ahead

Download the full alert with footnotes

On July 10, the European Commission officially adopted its decision on US adequacy, ushering in the new EU-US Data Privacy Framework. Despite some concerns raised by privacy advocates and the European Data Protection Board, 24 EU Member states voted in favor of the framework.

Under this framework, companies will be able to transfer data from the EU to the US after certifying their compliance with the framework’s privacy obligations.

The EU’s data privacy law, the GDPR, creates restrictions around data transfers from the EU to other countries. Under Article 45 of the statute, an entity may transfer EU personal data to a foreign country that the EU has determined ensures an “adequate level of protection for personal data.” For all other countries, any transfers of EU personal data to them must comply with Articles 46 and 49 of the GDPR.

Under this latest framework, the EU has determined that the US ensures an “adequate level of protection.” This reduces burdens and simplifies the legal regime around data transfers between the two regions.

This framework is the third attempt at a data transfer agreement between the EU and US and represents the third adequacy decision on the US. The first two were struck down by the European Court of Justice (ECJ) due to concerns over US intelligence surveillance and data collection. This latest version attempts to address those concerns by introducing new safeguards in the US, such as establishing a Data Protection Review Court to provide a redress mechanism for EU individuals and requiring that intelligence activities be necessary and proportionate to intelligence priorities.

Nevertheless, Max Schrems, the Austrian privacy activist responsible for the demise of the first two frameworks, has already promised to challenge this latest framework before the ECJ, claiming that US policies still provide insufficient privacy protections.

It remains to be seen if the framework will survive future legal challenges, but in the meantime its enactment progresses. On July 17, the US Department of Commerce launched a website which allows companies to certify their compliance with the framework and restart the process of data transfers from the EU.

The EU-US Data Privacy Framework will be subject to periodic review by the European Commission, together with European data protection authorities and US authorities, to ensure US safeguards have been fully implemented and remain effective. The first such review will occur within a year.

About Curtis

Curtis, Mallet-Prevost, Colt & Mosle LLP is a leading international law firm. Headquartered in New York, Curtis has 19 offices in the United States, Latin America, Europe, the Middle East and Asia. Curtis represents a wide range of clients, including multinational corporations and financial institutions, governments and state-owned companies, money managers, sovereign wealth funds, privately owned businesses, individuals and entrepreneurs. The firm is particularly active on behalf of clients operating in the energy and renewable energy, commodities, telecommunications, manufacturing, transportation and technology industries.

For more information about Curtis, please visit

Attorney advertising. The material contained in this Client Alert is only a general review of the subjects covered and does not constitute legal advice. No legal or business decision should be based on its contents.

Related resources

client alert

EU-US Data Privacy Framework Progresses through EU Approval Process


client alert

Is Congress Getting Closer to Enacting Comprehensive Federal Data Privacy Legislation?