The EU-US Data Privacy Framework Was Just Approved. Why Are Some Companies Avoiding It?

After three years of negotiations, the EU gave final approval in July to a new deal that allows companies to store European personal data on US soil. The deal, known as the EU-US Data Privacy Framework, offers a framework to facilitate cross-border data transfers while protecting individuals’ data privacy.

It’s been a slow process — three years in the making — to reach this point. So why are some companies holding back from adopting the new data agreement?

What is the EU-US Data Privacy Framework?

First, let’s understand what the framework involves. Also known as the Trans-Atlantic Data Privacy Framework, the EU-US Data Privacy Framework is an agreement designed to facilitate the free flow of data between countries.

Originally announced in October 2022 with an executive order from the President of the United States, the framework offers a comprehensive set of guidelines to protect individual privacy rights in data transfers across the Atlantic. In it, the US outlines data privacy procedures that are essentially equivalent to the EU’s own procedures in the General Data Protection Regulation (GDPR).

The framework was developed in response to the Schrems II ruling (c-311/18), a landmark data privacy case brought by Austrian privacy activist Max Schrems. In 2020, Schrems II invalidated the EU-US Privacy Shield, an earlier agreement designed to facilitate EU-US data transfers under the GDPR. Ever since then, companies subject to the GDPR have had to use lengthy legal contracts and supplementary safeguards to transfer data to the US.

Now, the newly approved EU-US Data Privacy Framework aims to replace the old Privacy Shield and establish a secure and transparent mechanism for organizations to transfer personal data under the GDPR. It is designed to not only facilitate seamless data sharing for businesses but also safeguard people’s personal information, bolstering cross-border trade while upholding fundamental privacy concerns.

Why are some companies avoiding the Data Privacy Framework?

According to the US Commerce Department — which last month released a new Data Privacy Framework website for US companies to self-certify their compliance — around 2,500 companies have signed up to the new framework so far. That’s only a small fraction of the companies eligible to use the framework. So why are companies holding back?

For some, it’s because they’re waiting to see whether the benefits outweigh the risks. For others, it’s a question of learning from Schrems II and waiting to see if this new agreement is also struck down in court. Below, we’ll dig into several of the top reasons that companies are hesitating to adopt the new framework.

Organizations have already established their own data privacy frameworks

The EU-US Data Privacy Framework has been a long time in the making, and three years have passed since Schrems II. In that time, organizations that process EU personal data have had to implement their own data privacy measures to comply with the GDPR.

As a Wall Street Journal article reports, many of these organizations are now choosing to stick with these existing data privacy practices. Some companies are just accustomed to the contractual clauses and technical safeguards they’ve been using in lieu of an official framework; others have made more permanent changes like switching from American to European technology providers.

Organizations fear the increased regulatory burden

According to the same Wall Street Journal article, the new Data Privacy Framework “opens companies up to more regulatory scrutiny and requires privacy teams to go through extra work to make sure they meet requirements.” What’s more, the payoff might not be worth it, since some business deals will still require additional data privacy assurances beyond the new framework.

Additionally, most organizations that adopt the Data Privacy Framework will need to consult with both legal counsel and the supervisory data protection authorities in their jurisdiction to ensure that their new practices are compliant. Taken together, these issues may make adopting the Data Privacy Framework a no-go for many companies.

Privacy experts fear that the framework is insufficient

Some privacy scholars believe that the EU-US Data Privacy Framework does not adequately protect EU personal data. Many concerns have already been raised about the framework, most of which revolve around the powers of the United States government.

For instance, the framework’s Data Protection Review Court operates under the US Attorney General’s authority, casting doubts on its independence. The framework also does not negate the US CLOUD Act, which allows federal law enforcement to demand sensitive personal data from US-based technology companies. Meanwhile, data subjects are not notified when they are subjected to US intelligence activities, giving them little chance of exercising their privacy rights.

Because of these and other concerns, Max Schrems and his digital privacy nonprofit NOYB have noted that the framework seems to fail in meeting the requirements of Schrems II and the GDPR.

Organizations are anticipating Schrems III

Given the previous point, it’s probably unsurprising that Max Schrems has announced his intention to file a legal complaint against the new framework. Although the EU anticipates that it can “credibly defend this framework,” privacy experts suggest that a Schrems III case is likely — and that Schrems will again prevail.

What does this mean, long-term? Unfortunately, it seems likely that organizations will remain in a cycle of new data privacy frameworks, followed by litigation that upends those frameworks, for the foreseeable future. In the meantime, though, there are many ways to ensure strong data privacy and security for your business.

ShardSecure: Supporting data privacy and regulatory compliance

ShardSecure's solution supports data privacy and meets the European Data Protection Board’s requirements as a supplemental technology to enable cross-border data transfers under the GDPR. Specifically, the ShardSecure platform is a split processing technology that can be easily deployed in a multi-party processing environment, meaning that it allows organizations to store and process data safely under the EDPB’s Use Case 5.

For a more detailed explanation on how the ShardSecure platform mitigates data transfer risks and supports data privacy, take a look at our GDPR/Schrems II white paper or peruse our resources.