US companies with business in the EU have been frustrated for years by the lack of an easy-to-implement way to export personal data to the US. Negotiators for the US and the EU have been working to fill the gap since the prior negotiated framework was invalidated by the EU's highest court in a series of decisions. Last fall, the US announced a new Data Privacy Framework (DPF) as the proposed solution. The DPF is currently being reviewed by several stakeholders in the EU to determine whether it would afford EU residents adequate protection for their data in the US. In mid-February, the EU Parliament said "no." Parliament's view is non-binding, but likely to carry at least some weight.
Why It Matters
Many US businesses currently fall back on the imperfect (and possibly also not "adequate") Standard Contractual Clauses if they want to make EU personal data available in the US. The SCCs are unwieldy and intimidating. To small businesses especially, they often feel like overkill.
The lack of an easy solution affects everything from professional contact information to HR data to advertising and analytics data (and more). Without an easily workable set of rules for the export of this data, US companies and their EU business partners are likely to have to keep either finding ways to avoid data export, thus chilling their business efforts (or increasing their costs), or lumbering under the weight of the SCCs.