link to page 1 
Updated June 2, 2022
U.S.-EU Trans-Atlantic Data Privacy Framework
In March 2022, the United States and the European Union
U.S. and Congressional Interests
(EU) announced a political agreement on a new Trans-
Many Members of Congress urged the United States and
Atlantic Data Privacy (TADP) Framework to safeguard
the EU to reach a successor accord to Privacy Shield to
commercial cross-border data flows. For decades, data
guarantee cross-border data flows and protect U.S. business
privacy and protection issues have been sticking points in
interests. Data flows underlie much of the $7.1 trillion U.S.-
U.S.-EU relations. The new framework aims to meet EU
EU economic relationship. Some companies, including
data protection obligations and facilitate transatlantic trade.
Facebook’s parent company, Meta, raised the potential of
withdrawing from the EU market if a new transatlantic data
Data Transfers and Surveillance Issues
flow agreement could not be reached. The demise of
The EU considers the privacy of communications and the
Privacy Shield thus reinforced concerns among some in
protection of personal data to be fundamental rights,
Congress that the EU approach to data protection creates
codified in EU law, while U.S. federal policy protects
unfair trade barriers and limits U.S. firms’ access to the EU
certain data on a sectoral basis. Over the years, the United
market. Congress may be interested in evaluating the TADP
States and the EU have concluded several data transfer
Framework, including its ability to ensure continued data
agreements (both in the commercial and law enforcement
flows for U.S. companies and organizations, its potential
sectors) that sought to address EU concerns about U.S. data
implications for U.S. national security, or the extent to
protection practices. Despite U.S. assurances, many in the
which the TADP and U.S.-EU cooperation helps to set
EU have remained uneasy about U.S. intelligence and
international privacy standards and counter China’s
surveillance laws and possible U.S. government access to
influence on digital issues globally.
EU citizens’ personal data. Resulting tensions and legal
challenges have impacted U.S.-EU data transfer accords,
Transatlantic Data Flows
threatening bilateral trade for U.S. and EU businesses, and
According to the U.S. Bureau of Economic Analysis, the
raising congressional concerns.
United States and Europe are each other’s most important
commercial partners for digitally-enabled services. U.S.-EU
EU Court Invalidates Privacy Shield
trade of information and communications technology (ICT)
Before the new TADP Framework was announced, the
services and potentially ICT-enabled services was over
Court of Justice of the European Union (CJEU, also known
$264 billion in 2020 (see Figure 1). Transatlantic data
as the European Court of Justice, or ECJ) had invalidated
flows account for more than half of Europe’s data flows and
two U.S.-EU commercial data transfer accords, most
about half of U.S. data flows globally. Such data flows
recently the Privacy Shield Framework in July 2020. Since
enable people to transmit information for online
2016, Privacy Shield had provided a mechanism to transfer
communication, track global supply chains, share research,
EU citizens’ personal data to the United States while
provide cross-border services, and support technological
complying with EU data protection rules. Privacy Shield
innovation, among other activities. Organizations may use
sought to address concerns raised in a 2015 CJEU decision
customer or employee personal data to facilitate business
that struck down a similar U.S.-EU data transfer accord, the
transactions, analyze marketing information, discover
Safe Harbor Agreement. Privacy Shield also was crafted in
fraudulent payments, improve proprietary algorithms, or
anticipation of the EU’s General Data Protection
develop competitive innovations.
Regulation (GDPR), which took effect in May 2018, and
created new individual rights and requirements for data
Figure 1. U.S.-EU Trade of ICT and Potentially ICT-
protection throughout the EU. Nevertheless, the CJEU
Enabled (PICTE) Services, 2020
found that Privacy Shield failed to meet EU data protection
standards given the breadth of U.S. data collection powers
authorized in U.S. electronic surveillance laws and the lack
of redress options for EU citizens. The CJEU ruling also
increased due diligence requirements for data exporters
using another EU mechanism—standard contractual clauses
(SCCs)—to transfer personal data to the United States.
At the time of its invalidation in 2020, Privacy Shield had
5,380 participants, including U.S. businesses and other
Source: CRS with data from the Bureau of Economic Analysis.
organizations, U.S. subsidiaries in Europe, and 250 entities
headquartered in Europe. The CJEU ruling created legal
The TADP Framework
uncertainty for many firms engaged in transatlantic trade,
In announcing the “deal in principle” on the TADP
both those that relied on Privacy Shield (over 75% of which
Framework, the Biden Administration and the European
were small and mid-sized firms, SMEs) and those using
Commission (the EU’s executive, responsible for
SCCs, including many large multinational companies.
negotiating on behalf of the EU) asserted that the agreement
https://crsreports.congress.gov
U.S.-EU Trans-Atlantic Data Privacy Framework
“reflects the strength of the enduring U.S.-EU relationship.”
Use commercial cloud services provided by large
U.S. and European Commission negotiators are working to
technology firms that use approved BCRs or updated
flesh out the details of the new framework and translate the
SCCs (e.g., Microsoft, IBM);
agreed arrangements into official texts. U.S. commitments
Store EU citizens’ personal data only in the EU or other
are to be formalized in an executive order, signed by the
approved country, an idea advocated by some European
President (congressional approval would not be necessary).
DPAs and other stakeholders, but which others view as
The EU would then need to review the official texts before
potential costly data localization trade barriers;
granting final approval of the framework.
Obtain consent from individuals for every single transfer
Key Provisions
of personal data, a likely logistically challenging and
Participating companies and organizations that take
costly option for most entities;
advantage of the TADP Framework to protect data flows
Exit or limit participation in the EU market.
would continue to be required to adhere to the Privacy
Other alternatives would be for the EU to establish codes of
Shield Principles and to self-certify through the U.S.
conduct or certifications that meet GDPR requirements, for
Department of Commerce (Commerce). The seven distinct
which organizations could apply. These programs could be
privacy principles include: notice; choice; accountability for
U.S.-EU specific or at a broader, global level.
onward data transfer; security; data integrity and purpose
limitation; access; and recourse, enforcement, and liability.
Other international forums and agreements may affect U.S.-
Privacy Shield also set out 16 mandatory supplemental
EU data flows. In April 2022, the United States and six
principles that included provisions on sensitive data,
partners announced the establishment of the Global Cross-
secondary liability, the role of data protection authorities
Border Privacy Rules (CBPR) to promote interoperability
(DPAs), human resources data, pharmaceutical and medical
and help bridge different regulatory approaches globally. It
products, and publicly available data; the new framework is
is not clear if the Global CBPR system would meet EU
expected to contain these supplemental principles.
legal obligations. Digital trade negotiations at the World
Trade Organization also include discussions on cross-
To address EU concerns about U.S. surveillance practices,
border data flows, and law enforcement access to data is a
the new framework would increase safeguards and limits on
topic of negotiations at the Organization for Economic Co-
U.S. signals intelligence activities, establish a new redress
operation and Development. Data flows and privacy are not
mechanism with independent and binding authority (the
included, however, under the U.S.-EU Trade and
Data Protection Review Court), and add oversight
Technology Council, because the EU views data protection
procedures for signals intelligence activities. Press reports
as a fundamental right not open for negotiation in trade
suggest a new unit under the U.S. Department of Justice
discussions.
may oversee surveillance of EU persons.
Issues for Congress
Program Enforcement
Congressional action in several areas could shape the future
The new TADP program would continue to be administered
landscape for U.S.-EU data transfers. For example:
by Commerce and the European Commission. Commerce
would monitor firms’ effective compliance and investigate
Exploring changes when authorizing and overseeing
complaints. The U.S. Federal Trade Commission (FTC) and
surveillance programs to better protect data privacy or
the U.S. Department of Transportation would continue to
otherwise address EU concerns;
enforce compliance. In June 2020, FTC reported
Considering comprehensive federal privacy legislation
enforcement actions against dozens of companies that made
that includes data protection provisions that may align to
false or deceptive representations about Privacy Shield
some extent with GDPR requirements, to provide some
participation. The FTC’s $5 billion penalty against
level of certainty to EU businesses and individuals;
Facebook included holding executives accountable for
Examining how best to achieve broader consensus on
privacy-related decisions and prohibiting
data flows and privacy at the global level, cooperate
misrepresentations related to Privacy Shield.
with the EU and other like-minded partners on
Future Prospects
alternatives to counter China’s influence in the digital
space, and hold hearings on U.S. engagement in ongoing
EU officials hope that the new TADP Framework will be
bilateral and multilateral digital trade negotiations.
finalized and adopted by the end of 2022. Implementation
of the new framework may alleviate prior uncertainty
Also see CRS In Focus IF10896, EU Data Protection Rules
created by the CJEU ruling on the former Privacy Shield,
and U.S. Implications, by Rachel F. Fefer and Kristin
but stakeholders will be closely monitoring future
Archick; CRS Report R46724, EU Data Transfer
enforcement. Potential new legal challenges brought by EU
Requirements and U.S. Intelligence Laws: Understanding
privacy advocates could test the agreement’s durability.
Schrems II and Its Impact on the EU-U.S. Privacy Shield,
Apart from the new framework, U.S. firms have limited
by Chris D. Linebaugh and Edward C. Liu, and CRS Report
options for cross-border data flows with the EU. They
R45584, Data Flows, Online Privacy, and Trade Policy, by
include:
Rachel F. Fefer.
Create Binding Corporate Rules (BCRs) that EU
Rachel F. Fefer, Analyst in International Trade and
officials must approve on a firm-by-firm basis;
Finance
Implement updated EU-approved SCCs and reassess for
Kristin Archick, Specialist in European Affairs
adequate safeguards according to the CJEU ruling;
https://crsreports.congress.gov
U.S.-EU Trans-Atlantic Data Privacy Framework
IF11613
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11613 · VERSION 5 · UPDATED