EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF) is a transatlantic certification scheme on the basis of which the European Commission adopted an adequacy decision under Art. 45 GDPR on 10 July 2023. It allows personal data to be transferred from the EU to companies in the US that have self-certified with the US Department of Commerce and committed to a defined set of data protection principles. The DPF is the successor to the Privacy Shield, which the Court of Justice of the European Union declared invalid in July 2020 in its "Schrems II" ruling (C-311/18).

At the heart of the new arrangement are additional safeguards that address the deficiencies the CJEU identified regarding access to data by US intelligence agencies. US Executive Order 14086 limits intelligence data access to what is necessary and proportionate and establishes, in the Data Protection Review Court (DPRC), a two-tier independent redress mechanism that EU individuals may also invoke. Certified US companies must comply with the DPF principles, which include, among others, notice obligations, purpose limitation, data minimisation, choice for data subjects, and liability for onward transfers.

For controllers in the EU, the DPF brings a considerable simplification: transfers to recipients certified under the framework no longer require additional safeguards such as standard contractual clauses or a transfer impact assessment. The prerequisite, however, is that the specific recipient is actually actively certified on the official DPF list (dataprivacyframework.gov) for the relevant data category; this must be verified before and during the transfer. For non-certified recipients, or if the adequacy decision is challenged again, standard contractual clauses remain the key fallback instrument.