Data Privacy Framework

The EU-US Data Privacy Framework (DPF) is the legal framework that makes it lawful to transfer personal data from the EU to certified US companies. The European Commission adopted the adequacy decision on 10 July 2023, replacing the invalidated Privacy Shield agreement from 2016.

Back to Dictionary

What is the Data Privacy Framework?

The Data Privacy Framework is an agreement between the EU and the US that solves one of the biggest issues in international data protection: how to transfer personal data from the EU to the US lawfully. The European Commission adopted the adequacy decision on 10 July 2023, and since then certified US companies have been able to receive personal data from the EU without additional contractual or technical safeguards.

The full name is the EU-US Data Privacy Framework, often shortened to DPF. The agreement reflects the European Commission's assessment that the US, for those companies that join the DPF, ensures a level of protection that is essentially equivalent to GDPR.

In short: If your US supplier is DPF-certified, you can transfer personal data to them on the same basis as if the recipient were located in an EU country. You do not need standard contractual clauses or a transfer impact assessment for the transfer itself.

From Safe Harbor to DPF

DPF is the third attempt to create a durable framework for transatlantic data transfers. The history explains why many lawyers remain cautious about the scheme:

Safe Harbor (2000-2015): The first agreement. The Court of Justice of the EU invalidated it in the Schrems I judgment, because US mass surveillance was incompatible with the rights of EU citizens.
Privacy Shield (2016-2020): The successor with stricter requirements. It was invalidated in Schrems II in July 2020, again because the Court found that US intelligence services had overly broad access to personal data and that EU citizens had no meaningful right of redress.
Data Privacy Framework (2023-): The current scheme. It is built on a Presidential Executive Order (EO 14086) issued by Joe Biden in October 2022, which limits US intelligence services' access to data and establishes an independent Data Protection Review Court.

Between Schrems II in 2020 and DPF in 2023, businesses had to use data processing agreements combined with standard contractual clauses and a specific risk assessment for each transfer. That created a significant administrative burden, and DPF resolves it for those companies that choose to certify.

How does DPF work in practice?

DPF is a voluntary self-certification scheme. A US company goes through a process with the US Department of Commerce and commits to a set of principles closely aligned with GDPR:

Notice: The company must inform data subjects about the processing.
Choice: Data subjects must have the option to opt out of certain types of processing, such as marketing.
Accountability for onward transfer: If data is passed on to a third party, that third party must also protect the data to a comparable standard.
Security and data integrity: Technical and organisational measures in line with GDPR's requirements.
Access and redress: Data subjects have the right of access and can lodge complaints with the new Data Protection Review Court (DPRC).

Certification involves an annual fee and must be renewed every year. The list of certified companies is public and can be checked at dataprivacyframework.gov. Once a company is listed as "Active", you as a data controller in the EU can lawfully transfer personal data to them.

What does DPF mean for your business?

If you use US suppliers, for example for cloud hosting, email marketing, CRM or analytics, the following applies:

Check whether the supplier is DPF-certified. Look them up at dataprivacyframework.gov. If the status is "Active", you can use DPF as your transfer basis.
Check which data categories the certification covers. Some companies are only certified for ordinary personal data, others also for HR data. This matters if, for example, you use the supplier for employee data.
Document your transfer basis. Your Article 30 record of processing activities should reflect that the transfer takes place under DPF and that you have verified the certification.
Keep backup mechanisms for non-certified suppliers. Not all US suppliers are certified. For those, you must continue to use standard contractual clauses and carry out a transfer impact assessment.

Important: DPF only covers transfers to the US. If your US supplier has sub-processors in other third countries (for example India or the Philippines), those transfers must still be based on another mechanism, typically standard contractual clauses.

Using DPF does not exempt you from the other GDPR requirements. You still need a legal basis under Article 6, you must still meet your information obligations, and you still have to handle data subject rights. DPF only resolves the question of transfer to a third country.

The risk of Schrems III

The Austrian activist Max Schrems, who is behind both Schrems I and Schrems II, has publicly signalled a case against DPF. The argument is that a Presidential Executive Order can be revoked by a new administration, and that the new Data Protection Review Court is not a court in the traditional sense, because it sits within the executive branch.

If the Court of Justice of the EU invalidates DPF, US suppliers will once again have to transfer data on the basis of standard contractual clauses, and businesses will need to carry out a specific risk assessment for each transfer. This is a scenario you should plan for, particularly if you have critical suppliers in the US.

Our practical recommendation is to keep standard contractual clauses ready as a backup, even for DPF-certified suppliers. It is a small administrative addition that can save you a major headache if the scheme falls.

Frequently Asked Questions about Data Privacy Framework

What is the Data Privacy Framework?

The EU-US Data Privacy Framework (DPF) is an agreement between the EU and the US that makes it lawful to transfer personal data from the EU to US companies that are certified under the scheme. The European Commission adopted the adequacy decision on 10 July 2023.

How do I know whether a US supplier is DPF-certified?

You can look up the supplier on the official list at dataprivacyframework.gov. The list also shows whether the certification is active and which data categories it covers (HR data or ordinary personal data).

Do I still need standard contractual clauses if the supplier is DPF-certified?

No, not for the transfer itself. DPF acts as a legal basis in the same way as the European Commission's other adequacy decisions. Many businesses still keep SCCs as a backup in case DPF is one day invalidated.

Is DPF the same as Privacy Shield?

No. Privacy Shield was invalidated by the Court of Justice of the EU in 2020 (Schrems II). DPF is a new agreement with additional safeguards, including an independent Data Protection Review Court that handles complaints from EU citizens about US intelligence access.

Can DPF be invalidated like Privacy Shield?

Yes, that is a real risk. The activist Max Schrems has already signalled a case (informally referred to as Schrems III). For now DPF remains valid, but it is wise to have a plan B in the form of standard contractual clauses.