We have already written that the European Commission has initiated the procedure of adopting a decision that would determine the adequate level of protection of personal data in the USA, which would enable significantly easier transfer of data from Serbia and the EU to USA. This marked the beginning of an end to the chaos which was created after the EU-US Privacy Shield (the agreement that represented the legal framework for the transfer of personal data from the European Union to the United States of America)  was invalidated by the Court of Justice of the EU in 2020, which further created a huge problem for companies doing business with the United States, causing a significant difficulty in the process of transferring data from Europe to the United States.

On July 10th 2023, the European Commission adopted an EU-US adequacy decision, establishing an adequate level of personal data protection in the US in accordance with the new EU-US Data Privacy Framework (hereinafter: the Framework).

A press release published by the European Commission said that the “EU-US Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the Court of Justice of the EU, including limiting access to EU data by US intelligence services to what is necessary and proportionate and establishing a Data Protection Review Court.”

According to a similar system as it was regulated in previous frameworks, an adequate level of protection is not implied for all companies in the USA, but only for those that pass the certification process before the competent body in the USA (U.S. Department of Commerce). Already certified organizations will have to update their privacy policies and comply with the new Framework, and the competent authority will maintain a list of certified companies that can receive data based on the Framework, from the date of listing.

The aforementioned Framework is also applicable to companies in Serbia, in accordance with domestic regulations, and the future sending of personal data to the USA will be much easier compared to the previous system, which involved the transfer of data based on Standard Contractual Clauses that have significant restrictions (especially with regards to specific transfers and with regards to further obligations of the transferor to ensure adequate processing conditions) or data transfer in “special situations” which was certainly an exception and was applied very restrictively.

From experience with previous frameworks, we can expect legal challenges in this case as well. Certainly, the main evaluation of the new Framework will most likely be given again by the Court of Justice of the EU. In any case, these current circumstances allow companies to take advantage in a smart way and reap multiple benefits from it.