On the 10th of July 2023, the European Commission published its Implementing Decision on the new EU-U.S. Data Protection Framework (the “Framework”).

Following the earlier invalidation of the EU-U.S. Privacy Shield in terms of the 2020 ‘Schrems II’ judgment (C-311/18), the new EU-U.S. Data Privacy Framework is posed as the third revision of the EU’s Data Protection position on EU-U.S. data transfers.

The Framework aims to classify the U.S. as an ‘adequate’ jurisdiction for data transfers on the condition that certain amendments such as the enactment of the current U.S. Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ is added to the U.S.’s data protection regime. Naturally, this decision is founded on the condition that the U.S. ensures an ‘adequate level’ of protection of personal data at the European Union’s standard.

If this condition is satisfied, EU-U.S. data transfers can flow freely, without having to comply with additional safeguards for data transfers to U.S. entities which join the Framework by complying with its privacy obligations.

The Framework attempts to address the past monitoring concerns on the prior regime, which back then, allowed U.S. Intelligence Services and other U.S. public authorities to surveil EU data subjects without necessarily having a reasonable cause or suspicion. On this front, a new Data Protection Review Court was established in order for such issues to have a suitable forum of litigation.

The Framework will be subject to periodic performance reviews carried out by the European Commission, together with the competent U.S. authorities. The first review is planned to take place within a year.

It should be noted that the new Framework has already been met with harsh criticism from various Data Protection experts and advocates, including the same Maximillian Schrems, the mind behind the aforementioned judgment, stating that the new Framework is synonymous to its predecessors and fails to adequately address the concerns raised by the CJEU on the basis of which it invalidated the previous two frameworks. In view of this, Mr. Schrems already publicly stated that he will challenge the new Framework.


The Implementing Decision can be accessed here.

More information on the new Data Privacy Framework can be pursued here.

News update by J.J. Galea, Legal Trainee.

For more information about the new EU-US Data Privacy Framework, please do not hesitate to contact

Dr Ian Gauci or Dr Terence Cassar.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content