Data Protection Update

A Lifeline for Data Transfers: EU-US Data Privacy Framework Is Back On

In the long-awaited aftermath of the havoc caused by the CJEU’s decision (adopted in 2020 in the famous Schrems II case) to invalidate the previously existing EU-US Privacy Shield Framework, the European Commission adopted the adequacy decision promoting the new EU-US Data Privacy Framework (the “Framework”) on 10 July 2023.

The Framework concludes that the United States now ensure an adequate level of personal data protection – essentially equivalent to that of the European Union. This means that personal data can now flow freely from the EU to US companies participating in the Framework, without the need for the implementation of additional safeguards (such as the standard contractual clauses or binding corporate rules).

After multiple back-and-forths with the Schrems overturns, and continuous concerns expressed by EU regulators and courts, the new Framework seems to have reconciled the opposing views. In particular, the European Commission evaluated the steps taken by the United States to mitigate the risks to personal data protection, especially those aimed at limiting the (broad) surveillance powers and (insufficiently) effective mechanisms allowing the exercise of data subjects’ rights and concluded these suffice for a new framework to allow undisrupted data flow to the United States.

Much like its predecessors, the Framework does not validate all data transfers to the US, as only certified US companies, who have undergone a certification process under the Framework, will be able to import personal data from the EU and EEA without the need to rely on alternative data transfer mechanisms. The certification process will be performed by the U.S. Department of Commerce, whereas organizations already certified to the Privacy Shield will have to update their privacy policies to account for the Framework in the upcoming three months. The U.S. Department of Commerce will maintain a list of certified organisations, which will serve to demonstrate that an organization can receive personal data on the basis of the Framework, from the date it is placed on the list.

To put this in perspective locally, the new Framework has strong implications for Serbia as well, given that the validity of EU adequacy decisions automatically extends to Serbia under local data protection laws.

Until now, in the absence of an adequacy decision for transfers to the US, Serbian companies have had a hard time trying to grasp how to perform data transfers to the US in a legally sound way, which presented a non-negligible obstacle for smooth business cooperation with US-based organizations. This exercise was particularly mind-bending given the non-existence of Serbian standard contractual clauses (the “SCCs”) supporting all potential transfer scenarios (but just the controller-to-processor ones), unlike EU-based companies, which had the advantage of relying on a modernized set of the SCCs.

As a consequence of the Framework, companies in Serbia will be able to enjoy the facilitated data flow to and from certified US companies, although playing it cautiously by reviewing that all transfers to the US are done in accordance with the new Framework. In that sense, the adoption of the Framework is a great opportunity for local companies to revisit their transfers and data importers and make sure that their data processing activities reflect the new legal environment.


The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.