The European Commission has issued its draft adequacy decision on the EU-U.S. Data Privacy Framework (DPF) on December 13, potentially opening the door to another method of trans-Atlantic flow for personal data. The next step is for the draft adequacy decision to go through the EU's formal approval process, which first includes a non-binding opinion from the European Data Protection board (EDPB) followed by a full vote by the member states.

However, the DPF faces an uphill battle. Some EU regulators have already suggested that the DPF, and President Biden's executive order, fall well short of the level of protection required by the GDPR, and members of the EU Parliament's Civil Liberties committee have announced that they will work on a non-binding resolution opposing the DPF after the EDPB's opinion is released. And Max Schrems has already suggested a prompt legal challenge to the adequacy of the DPF.

Ultimately this means continued uncertainty for organizations who need to export personal data from the EU to the United States. Such organizations may be best served by sitting back, relaxing, and using the Standard Contractual Clauses and waiting for the dust to settle.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.