EU-US Data Privacy Framework: Complete Guide (2026)

The EU-US Data Privacy Framework (DPF) represents the third attempt by the European Union and the United States to create a stable legal mechanism for transferring personal data across the Atlantic. After the Court of Justice of the European Union (CJEU) struck down both the Safe Harbor arrangement in 2015 and the Privacy Shield in 2020, the DPF was designed to address the specific concerns the Court raised about US government surveillance practices and the lack of adequate redress for EU individuals.

On July 10, 2023, the European Commission adopted its adequacy decision for the DPF, enabling personal data to flow from the EU to certified US organizations without additional transfer safeguards. The framework rests on commitments by the US government to limit intelligence agency access to EU personal data and to establish an independent review mechanism for complaints.

This guide covers the full history of EU-US data transfer frameworks, how the DPF works, the certification process, the new redress mechanism, and the ongoing risks organizations should consider.

From Safe Harbor to Privacy Shield to the DPF

The path to the current framework spans more than two decades and two landmark CJEU rulings. Understanding this history is essential for assessing the DPF's durability.

Safe Harbor (2000 to 2015)

The Safe Harbor framework was adopted in 2000 to bridge fundamental differences between EU and US approaches to data protection. Under Safe Harbor, US companies could self-certify that they met a set of privacy principles aligned with EU standards. Roughly 4,500 US companies participated.

In October 2015, the CJEU invalidated Safe Harbor in the Schrems I ruling (Case C-362/14). Austrian privacy advocate Max Schrems challenged Facebook Ireland's data transfers, arguing that Edward Snowden's revelations about NSA mass surveillance programs demonstrated the US did not provide adequate protection. The Court agreed, finding that Safe Harbor did not sufficiently limit US government access to EU personal data and offered no effective judicial redress for EU individuals.

Privacy Shield (2016 to 2020)

The EU-US Privacy Shield replaced Safe Harbor in August 2016. It included stronger privacy principles, enhanced oversight by the US Federal Trade Commission (FTC), and the creation of a State Department Ombudsperson to handle EU complaints about intelligence activities. Over 5,300 US companies certified under Privacy Shield.

In July 2020, the CJEU struck down Privacy Shield in Schrems II (Case C-311/18). The Court found that US surveillance programs, particularly Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, allowed bulk data collection that exceeded what was "strictly necessary" under EU law. The Ombudsperson mechanism was not considered sufficiently independent because it lacked binding authority over intelligence agencies.

Negotiations Leading to the DPF (2020 to 2023)

Following the Schrems II decision, organizations transferring data to the US relied primarily on Standard Contractual Clauses (SCCs), combined with supplementary measures such as Transfer Impact Assessments. Negotiations between the EU and US began almost immediately.

In March 2022, President Biden and European Commission President von der Leyen announced an agreement in principle on a new framework. On October 7, 2022, President Biden signed Executive Order 14086 ("Enhancing Safeguards for United States Signals Intelligence Activities"), which created the substantive legal changes the new framework required.

The European Commission published its draft adequacy decision in December 2022, and the European Data Protection Board (EDPB) issued its opinion in February 2023 acknowledging the improvements while raising remaining concerns. The final adequacy decision was adopted on July 10, 2023.

How the DPF Works

The DPF operates through two complementary elements: self-certification by US companies and binding commitments by the US government regarding intelligence activities.

The Certification Process

US companies join the DPF by self-certifying through the International Trade Administration (ITA), a bureau within the US Department of Commerce. Certification is voluntary but creates legally binding obligations.

To certify, an organization must:

1. Confirm it is subject to the enforcement jurisdiction of the FTC or the Department of Transportation (DOT)
2. Develop a privacy policy that conforms to the DPF Principles
3. Identify an independent recourse mechanism for handling complaints
4. Pay the applicable annual fee based on annual revenue
5. Submit its certification through the Data Privacy Framework website

As of early 2026, over 2,800 organizations have active DPF certifications. The ITA maintains a public list of all certified organizations, which EU data exporters can verify before transferring data.

The DPF Principles

Certified organizations must comply with a set of privacy principles that mirror core GDPR concepts:

• Notice: Organizations must inform individuals about data collection practices, purposes, and rights
• Choice: Individuals must be able to opt out of having their data used for materially different purposes or disclosed to third parties
• Accountability for Onward Transfer: Data shared with third parties must be protected through contracts requiring equivalent protections
• Security: Reasonable and appropriate measures must protect personal data from loss, misuse, and unauthorized access
• Data Integrity and Purpose Limitation: Personal data must be limited to what is relevant for the purpose of processing
• Access: Individuals must be able to access their personal data and correct or delete inaccurate information
• Recourse, Enforcement, and Liability: Robust mechanisms must exist for ensuring compliance and providing remedies

Enforcement

The FTC serves as the primary enforcement body for DPF compliance. Companies that fail to comply with their DPF commitments can face FTC enforcement actions under Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. The FTC has brought enforcement actions against companies that falsely claimed DPF certification or failed to uphold their privacy policy commitments.

The Department of Commerce monitors compliance, conducts random spot-checks of certified organizations, and can remove non-compliant companies from the DPF list. Organizations that withdraw from the DPF must continue to apply DPF protections to data received during the period of certification.

Executive Order 14086: The Legal Foundation

Executive Order 14086 is the cornerstone of the DPF. It directly addresses the two deficiencies the CJEU identified in Schrems II: the lack of proportionality in US signals intelligence collection and the absence of an independent redress mechanism.

Restrictions on Intelligence Collection

The Executive Order limits signals intelligence collection to 12 defined legitimate national security objectives, including counterterrorism, counterespionage, and protecting against threats to critical infrastructure. Bulk collection is permitted only in pursuit of these objectives and only when targeted collection is not feasible.

For the first time in a US executive order, the concept of "proportionality" appears as a binding constraint. Intelligence activities must be "proportionate to the validated intelligence priority for which they have been authorized" and must "balance the importance of the validated intelligence priority being advanced against the impact on the privacy and civil liberties of all persons."

Privacy and Civil Liberties Requirements

The order requires each intelligence agency to update its policies and procedures to incorporate the new safeguards. The Privacy and Civil Liberties Oversight Board (PCLOB) is tasked with reviewing these updated procedures and conducting an annual review of the redress process.

However, the PCLOB has faced operational challenges. By late 2024, political disputes over board appointments left it without a quorum, raising questions about the durability of this oversight layer.

The Data Protection Review Court

The most significant innovation in the DPF is the Data Protection Review Court (DPRC), established by Executive Order 14086 and implemented through Attorney General regulations.

How the DPRC Works

EU individuals who believe their data was unlawfully collected by US intelligence agencies can submit a complaint to their national data protection authority. The complaint is forwarded to the US Civil Liberties Protection Officer (CLPO) at the Office of the Director of National Intelligence, who conducts an initial investigation.

If the complainant is dissatisfied with the CLPO's determination, they can appeal to the DPRC. The court consists of judges appointed by the Attorney General from outside the US government who hold appropriate security clearances.

Key Features

The DPRC has binding authority, meaning its decisions are enforceable against intelligence agencies. This addresses the Schrems II concern about the Ombudsperson's lack of binding power. A special advocate is appointed to represent the complainant's interests before the court, since the classified nature of intelligence activities prevents direct participation.

Limitations

Critics have raised concerns about the DPRC's independence. Judges are appointed by the Attorney General (part of the executive branch), not through the judicial appointment process. The proceedings are classified, meaning complainants receive only a generic confirmation that the review was completed, not a detailed explanation of findings. The NOYB organization (led by Max Schrems) has argued that this does not meet the CJEU's standard for effective judicial protection.

How the DPF Differs from Privacy Shield

The DPF addresses several specific weaknesses the CJEU identified in Privacy Shield, though the commercial certification side remains similar.

Intelligence Collection Limits

Privacy Shield relied on Presidential Policy Directive 28 (PPD-28), which stated that bulk collection should be "as tailored as feasible." The CJEU found this language too permissive. EO 14086 replaces this with a binding requirement that collection be "proportionate" and limited to 12 enumerated objectives.

Redress Mechanism

Privacy Shield created a State Department Ombudsperson, but this role lacked independence from the executive branch and had no binding authority. The DPRC is structurally more independent (judges from outside government) and has binding decision-making power.

Oversight

The PCLOB's role is more explicitly defined under the DPF, with specific review and reporting obligations. Intelligence agency policies must be updated and reviewed regularly.

Commercial Principles

The commercial certification principles are largely carried over from Privacy Shield, with some refinements. Organizations previously certified under Privacy Shield were given a transition period to re-certify under the DPF.

The First Review and Ongoing Monitoring

Article 45(3) of the GDPR requires the European Commission to periodically review adequacy decisions. The first review of the DPF took place in October 2024.

Findings of the First Review

The European Commission's first review report concluded that the DPF continues to ensure an adequate level of protection. The report noted that US agencies had implemented EO 14086, the DPRC was operational, and the Department of Commerce was actively monitoring certified organizations.

The Commission also identified areas for improvement. The PCLOB lacked a quorum for much of the review period, limiting its ability to conduct the annual oversight required by EO 14086. The Commission emphasized that restoring the PCLOB to full operational capacity was important for the framework's continued functioning.

The EDPB issued its own review report alongside the Commission. While acknowledging improvements, the EDPB called for greater transparency about how the DPRC handles complaints and recommended further clarification of the "proportionality" standard as applied by US intelligence agencies.

Risks and Challenges

Despite its adoption, the DPF faces several ongoing risks that organizations should factor into their compliance strategies.

Potential Legal Challenge (Schrems III)

NOYB, the organization led by Max Schrems, announced it would analyze the adequacy decision and potentially challenge it before the CJEU. A formal legal challenge has not been filed as of early 2026, but NOYB has consistently criticized the DPF for relying on an executive order (which a future president could revoke) rather than statutory changes, maintaining a redress mechanism that does not provide full transparency to complainants, and failing to fundamentally reform Section 702 of FISA.

Any CJEU challenge would likely take several years to reach a decision, providing a window of operational certainty. However, organizations should monitor developments closely.

Executive Order Vulnerability

Unlike a statute, an executive order can be modified or revoked by any subsequent president without Congressional approval. This structural vulnerability has been a consistent criticism. While no indication exists that EO 14086 will be revoked, the political nature of the framework remains a long-term risk factor.

FISA Section 702 Reauthorization

Section 702, which authorizes collection of foreign intelligence from non-US persons located outside the United States, was reauthorized by Congress in April 2024 for two years through April 2026. The reauthorization included expanded definitions of "electronic communications service providers" subject to surveillance obligations. Privacy advocates argued this expansion increased rather than decreased the scope of surveillance, though proponents noted it closed a loophole rather than creating new collection authority.

The next reauthorization debate in 2026 will be closely watched in Europe for any changes that might affect the DPF's adequacy assessment.

UK Extension

The UK Extension to the DPF (often called the "UK-US Data Bridge"), covered in detail under our GDPR vs UK GDPR comparison, was established separately in October 2023. It operates alongside the main DPF but under UK data protection law rather than EU law. US companies can extend their DPF certification to cover UK data transfers by opting in through the ITA.

Practical Guidance for Organizations

Organizations transferring data between the EU and the US should take several practical steps to rely on the DPF effectively.

For US Companies Receiving EU Data

Verify your organization is eligible (subject to FTC or DOT jurisdiction). Complete the self-certification process through dataprivacyframework.gov. Update your privacy policy to reflect all DPF Principles. Designate an independent dispute resolution body. Implement internal procedures for handling data access requests and complaints. Re-certify annually before your certification expires.

For EU Organizations Transferring Data

Before transferring personal data, verify the recipient's active DPF certification on the official list. Document the legal basis for transfer (the adequacy decision) in your Records of Processing Activities. Monitor the recipient's certification status, since lapsed certifications invalidate the transfer basis. Consider maintaining SCCs as a backup mechanism in case the DPF is invalidated or the recipient loses certification.

Contingency Planning

Given the history of invalidated frameworks, prudent organizations maintain alternative transfer mechanisms. SCCs remain valid and can serve as a fallback. Transfer Impact Assessments prepared for the Schrems II era remain relevant. Organizations should document their contingency plan and be prepared to activate alternative safeguards if needed.

This is general legal information, not legal advice. Organizations handling cross-border data transfers should consult an attorney for advice specific to their situation.

Sources and References