The recently announced Data Privacy Framework decision: Implications for data transfers from the US
EU-U.S. Data Privacy Framework (DPF) Enables Lawful Transatlantic Data Transfers
After a series of negotiations and legislative actions, the EU-U.S. Data Privacy Framework (DPF) is now operational as the primary mechanism for transferring personal data from the EU to the U.S. The DPF was finalized and adopted by the European Commission on July 10, 2023, following multi-year discussions aimed at addressing the issues identified in the 2020 Schrems II ruling that invalidated the EU-U.S. Privacy Shield.
The DPF establishes that the U.S., through certified companies adhering to the DPF principles, provides an "essentially equivalent" level of protection for personal data as required under the EU GDPR. It relies on new U.S. commitments, including limitations on surveillance activities and a specific redress mechanism for EU individuals. Certification with the U.S. Department of Commerce demonstrates DPF compliance for U.S.-based companies.
For EU and UK companies transferring data to the U.S., this means that they may transfer personal data to U.S. organizations certified under the DPF without additional transfer mechanisms, effectively replacing the old Privacy Shield mechanism. However, given the current ongoing legal uncertainty and potential for future invalidation, companies are strongly advised to continue carrying out Transfer Impact Assessments (TIAs) and documenting Standard Contractual Clauses (SCCs) as fallback safeguards for their international data transfers.
In the UK specifically, the Data (Use and Access) Act 2025 has been introduced with the intention of maintaining UK GDPR adequacy status and streamlining compliance, including data transfers to the U.S. under the UK-specific extension of the EU-U.S. DPF. UK companies rely on both the EU-U.S. DPF and the UK Extension to the DPF, with certifications and compliance obligations mirrored for UK-to-U.S. transfers.
Despite this progress, the DPF's long-term legal stability remains uncertain. Key risks include the status of U.S. surveillance law (notably the FISA 702 legislation reauthorized only through April 2026), which could affect adequacy, and the high likelihood of new legal challenges by privacy groups.
For new data transfers to uncertified data importers in the U.S., EU and UK companies should continue to rely on the SCCs and verify whether for the specific transfer additional safeguards are still necessary. The CJEU has not yet decided whether US law, especially through EO 14086, provides a level of data protection that is essentially equivalent to EU law.
In the meantime, the Commission will conduct periodic reviews of the DPF together with EU data protection authorities and US authorities to confirm the US government's compliance with EO 14086. The UK government will have to agree on an alternative arrangement with the US to cover the flow of UK personal data to the US, as the UK will no longer be covered by the new EU-US Privacy Framework as it has exited the EU.
In summary, the DPF currently enables lawful transatlantic data transfers for certified companies and is regarded as the third and current iteration of transatlantic data transfer mechanisms. Nevertheless, transfer assessments remain critical to mitigate risks of future legal invalidations or challenges. Ongoing monitoring of U.S. surveillance laws and judicial developments is essential for compliance planning by EU and UK entities transferring personal data to the U.S.
The EU-U.S. Data Privacy Framework (DPF) relies on technology, such as new U.S. commitments and specific redress mechanisms, to ensure data privacy by providing an essentially equivalent level of protection for personal data as required under the EU GDPR. Companies, therefore, should continuously monitor U.S. surveillance laws and judicial developments to keep their data transfer practices compliant with the DPF, especially with the ongoing uncertainty surrounding its long-term stability.
