Glossary · EU-US Data Transfer EU-US Data Privacy Framework
The 2023 successor to the invalidated Privacy Shield, establishing a new legal basis for transatlantic data transfers between the EU and US.
## What the DPF actually does
The EU-US Data Privacy Framework (DPF) is the third-generation transatlantic data transfer mechanism, adopted by the European Commission in July 2023. It replaces the invalidated Privacy Shield (2016-2020), which itself replaced the invalidated Safe Harbor (2000-2015).
The DPF provides a legal basis under GDPR Article 45 (adequacy decisions) for personal data transfers from the EU to certified US-based companies. As of 2026, several thousand US companies have self-certified under DPF.
## How DPF certification works
US companies can self-certify under DPF by:
1. Publicly declaring adherence to the DPF Principles
2. Implementing those principles operationally
3. Submitting to enforcement by the US Federal Trade Commission
4. Renewing certification annually
5. Listing publicly in the DPF list maintained by the US Department of Commerce
The DPF Principles closely track GDPR principles:
- Notice (transparency about data practices)
- Choice (opt-out for data uses beyond original purpose)
- Accountability for onward transfer
- Security of personal data
- Data integrity and purpose limitation
- Access (data subjects can access their data)
- Recourse, enforcement, and liability
## What's different from Privacy Shield
The DPF includes substantive improvements over Privacy Shield specifically addressing concerns the CJEU raised in Schrems II:
### 1. Data Protection Review Court (DPRC)
The DPF establishes a new US judicial body specifically for reviewing complaints from EU data subjects about US intelligence access to their data. This addresses one of Schrems II's central concerns: that EU citizens had no effective remedy against US surveillance.
The DPRC has authority to order corrective action including data deletion. Whether the DPRC is genuinely independent and effective is contested (see legal vulnerability section below).
### 2. Limitations on US intelligence access
The DPF includes specific commitments from the US intelligence community:
- **Proportionality** — bulk collection limited to specific listed purposes
- **Necessity** — US intelligence must justify data collection as necessary
- **Targeting limitations** — restrictions on broad-spectrum surveillance
- **Sunset and review** — periodic reauthorization required
These commitments are codified in Executive Order 14086 (October 2022) and operational procedures.
### 3. Enhanced individual rights
EU data subjects have improved access, correction, and deletion rights under DPF compared to Privacy Shield:
- Standardized complaint process through the FTC
- Independent dispute resolution mechanisms
- DPRC review for surveillance-related complaints
- Faster response timelines than Privacy Shield
## Legal vulnerability
The DPF faces ongoing legal challenges. Key concerns:
**1. NOYB challenge filed.** Max Schrems's organization (None Of Your Business) filed a legal challenge against the DPF immediately after its adoption. The argument: US surveillance authority remains substantively similar to pre-DPF, and the new safeguards are insufficient to meet GDPR's "essentially equivalent" standard.
**2. DPRC independence questioned.** The DPRC operates within the US executive branch (under the Department of Justice). Privacy advocates argue this falls short of the judicial independence GDPR requires.
**3. Bulk collection limitations remain narrow.** The proportionality and necessity standards in Executive Order 14086 are subject to interpretation and have not yet been tested in major cases.
**4. CJEU pattern.** The CJEU has invalidated two consecutive transatlantic frameworks (Safe Harbor 2015, Privacy Shield 2020). The court's pattern suggests continued willingness to invalidate frameworks that don't fully address surveillance concerns.
A "Schrems III" CJEU ruling invalidating the DPF is plausible. Timeline: case currently working through European courts; CJEU ruling possible 2026-2027.
## What DPF means for European businesses in 2026
For most European businesses using US providers:
**1. The DPF currently provides legal basis** for transatlantic transfers to DPF-certified US companies. Use it where appropriate.
**2. Verify certification status** — check that specific US providers are DPF-certified by searching the [official DPF list](https://www.dataprivacyframework.gov/).
**3. Don't rely solely on DPF** — given legal vulnerability, architectural decisions should consider scenarios where DPF is invalidated.
**4. Maintain SCCs as fallback** — Standard Contractual Clauses provide legal continuity if DPF is invalidated.
**5. Continue Transfer Impact Assessments** — even DPF-based transfers benefit from documented TIAs showing awareness of risks.
**6. Consider EU-resident processing for sensitive data** — the strongest legal posture is avoiding the transfer entirely.
## Practical comparison: DPF vs alternatives
For European businesses choosing between transfer mechanisms:
| Mechanism | Legal certainty | Operational complexity | Best for |
|---|---|---|---|
| **DPF (where available)** | Currently strong, structurally vulnerable | Low | Routine transfers to certified US companies |
| **Standard Contractual Clauses + TIA** | Strong but operationally heavy | Medium | Transfers to non-DPF-certified US companies |
| **Binding Corporate Rules** | Strong for intra-group | High initial setup | Large multinationals with intra-group transfers |
| **EU-resident processing** | Avoids the issue entirely | Low if alternatives exist | Sensitive data, regulated industries |
The pragmatic approach for most European businesses: use DPF for general business workloads with US providers, EU-resident processing for sensitive data, and maintain SCCs as legal fallback.
## The longer pattern
The DPF is the third major transatlantic data transfer framework, with shorter durations than predecessors:
- **Safe Harbor**: 2000-2015 (15 years)
- **Privacy Shield**: 2016-2020 (4 years)
- **Data Privacy Framework**: 2023-? (uncertain)
Each framework attempts to reconcile fundamental tensions between US national security law and EU privacy law. Each has been politically negotiated rather than addressing the underlying legal differences.
The structural reality: as long as US surveillance laws conflict with EU privacy law, transatlantic transfer frameworks will remain politically fragile. European businesses planning multi-year strategy should treat transatlantic transfers as ongoing legal risk rather than settled.
## What 2026-2027 brings
Several scenarios:
**Scenario A: DPF survives.** Continued operation, with periodic litigation but no invalidation. Most stable outcome but uncertain.
**Scenario B: Schrems III invalidates DPF.** CJEU ruling invalidates the framework. Transatlantic transfers return to SCCs + TIAs framework with new uncertainty about long-term arrangements.
**Scenario C: DPF survives with limitations.** CJEU ruling narrows DPF's application without full invalidation. Operationally complex but workable.
**Scenario D: New transatlantic agreement.** US and EU negotiate a "DPF 2.0" with stronger protections. Possible but politically difficult.
For European businesses, planning around Scenario B (DPF invalidation) is prudent risk management. If DPF survives, you've over-prepared. If it's invalidated, you're not surprised.
## The architectural answer
Beyond the specific framework details, the architectural answer for European businesses is consistent across scenarios:
1. **Use EU-resident processing for sensitive data** — sidesteps the transfer issue entirely
2. **Use US providers for less sensitive workloads with documented controls** — DPF-based with SCCs fallback
3. **Build multi-cloud architectures** that aren't dependent on any single transfer framework
4. **Treat transfer framework changes as planned events** rather than emergencies — they will continue happening
This is the pattern European businesses have learned through three transfer framework cycles. The DPF is the current version of an ongoing pattern, not the final answer.
Was this helpful?
Thanks for your feedback!