The European Commission adopted its adequacy decision for the EU–US Data Privacy Framework, giving certified US companies a renewed legal route to receive personal data from the EU after the collapse of Privacy Shield.
The Framework introduces binding safeguards on US intelligence access, a two-layer redress mechanism including a Data Protection Review Court, and a self-certification scheme administered by the US Department of Commerce.
EU organisations can transfer data to participating US companies without additional safeguards such as standard contractual clauses — provided the recipient is actively certified under the Framework.
As with its predecessors, the decision faces legal challenge ('Schrems III'). Prudent organisations treat the Framework as a working solution while keeping fallback transfer mechanisms documented and ready.
The information contained within this resource does in no way constitute legal advice. Any person who intends to rely upon or use this information is solely responsible for independently verifying it and obtaining independent expert advice if required.
Need to act on this?
We advise on GDPR compliance, transfers, AI and breach response.