The EU-US Data Privacy Framework is finally a reality. Today the European Union announced the approval of the much-awaited Adequacy decision (see here), officially recognising the United States as a country that provides sufficient protections for the data of EU citizens which is transferred across the Atlantic. The decision comes following lengthy negotiations and a long period of legal uncertainty for organisations. Undoubtedly, the Framework will face significant scrutiny, as was the case for the past Adequacy decisions.

– LONG-AWAITED, READY TO BE CONTESTED, AND RAISING MORE QUESTIONS THAN ANSWERS –

The million-dollar question that multinationals are now faced with is how stable the Adequacy decision will be. While it’s true that the decision solves the EU-US data transfer issue in the short term, will it be a suitable solution for organisations to rely on to make mid-term investments that imply the systematic transfer of data to the US? The decision is only valid for data transferred from the EU to US companies which adhere to the new system of certification by which they commit to a set of privacy principles – the ‘EU-U.S. Data Privacy Framework Principles’ (1. Purpose limitation and choice, 2. Processing of special categories of personal data, 3. Data accuracy, Minimisation and security, 4. Transparency, 5. Individual rights, 6. Restrictions on onward transfers, and 7. Accountability), including the Supplemental Principles issued by the US Department of Commerce.

Another milestone in the data-related arena which will imply that a multitude of strategic decisions are to be made!