Establishes a legal mechanism for EU-US personal data transfers under GDPR, replacing two prior frameworks struck down by EU courts.
Key Facts
- Agreement reached
- 2022
- Adequacy decision
- European Commission, 2023
- EEA extension
- 2024
- Previous framework (Privacy Shield)
- Invalidated July 2020 by ECJ
- Prior regime (Safe Harbor)
- Invalidated 2015 by ECJ
- Governing regulation
- GDPR
By the Numbers
Cause → Event → Consequence
The European Court of Justice invalidated two successive EU-US data transfer regimes — the International Safe Harbor Privacy Principles (2000–2015) and the EU-US Privacy Shield (2016–2020) — citing inadequate protection of EU citizens' personal data from US government surveillance, leaving companies without a reliable legal basis for transatlantic data flows.
In 2022 the EU and US agreed to the EU-US Data Privacy Framework under GDPR, which the European Commission declared adequate in 2023 and extended to the full EEA in 2024. The framework was negotiated under Ursula von der Leyen and is intended to address surveillance concerns that invalidated its predecessors.
Companies transferring data between the EU and the US gained a renewed legal mechanism, reducing compliance uncertainty. However, the European Parliament questioned whether the framework sufficiently protects EU citizens from US mass surveillance, and doubts about its longevity emerged under the Trump administration, leaving its future uncertain.
Political Outcome
EU-US Data Privacy Framework agreed in 2022, declared adequate by European Commission in 2023, and extended to the EEA in 2024; its conformity with EU law and long-term viability remain contested.
No valid EU-US data transfer framework following invalidation of Privacy Shield in July 2020
New adequacy-based framework enabling personal data transfers between EU/EEA and US under GDPR