EU-US Data Privacy Framework: Complete Guide (2026)

The EU-US Data Privacy Framework (DPF) is an adequacy decision adopted by the European Commission on July 10, 2023 under GDPR Article 45, authorizing lawful transfers of personal data from the EU to US organizations that self-certify compliance through the Department of Commerce.

The EU-US Data Privacy Framework (DPF) is the third attempt by the European Union and the United States to create a stable legal mechanism for transferring personal data across the Atlantic. Its two predecessors -- Safe Harbor and Privacy Shield -- were both struck down by the Court of Justice of the European Union (CJEU). Understanding why those frameworks failed, how the DPF was designed to address those failures, and what challenges now threaten it is essential for any organization that moves personal data between the EU and the US.

This guide covers the full history, the mechanics of the DPF, the new redress mechanism, the 2024 first review, the Latombe litigation and its pending CJEU appeal, the PCLOB crisis, and practical steps businesses should take now.

Quick Answer

The EU-US Data Privacy Framework is valid law. The European Commission's July 2023 adequacy decision stands. The EU General Court upheld it in September 2025, and the DPF remains the easiest legal basis for EU-to-US personal data transfers. However, a CJEU appeal (Case C-703/25 P) is pending, the oversight body that reviews the DPF's intelligence safeguards (the PCLOB) is in legal limbo, and FISA Section 702 is operating on a short-term extension as Congress debates renewal. Organizations that rely solely on the DPF should maintain Standard Contractual Clauses as a backup.

From Safe Harbor to Privacy Shield to the DPF

The path to the current framework spans more than two decades and two landmark CJEU rulings.

Safe Harbor (2000 to 2015)

The Safe Harbor framework was adopted in 2000 to bridge the fundamental difference between EU and US approaches to data protection. US companies could self-certify that they met a set of privacy principles aligned with EU standards. Roughly 4,500 companies participated.

In October 2015, the CJEU invalidated Safe Harbor in the Schrems I ruling (Case C-362/14). Austrian privacy advocate Max Schrems challenged Facebook Ireland's data transfers, arguing that Edward Snowden's revelations about NSA mass surveillance programs showed the US did not provide adequate protection. The Court agreed: Safe Harbor did not sufficiently limit US government access to EU personal data, and it offered no effective judicial redress for EU individuals.

Privacy Shield (2016 to 2020)

The EU-US Privacy Shield replaced Safe Harbor in August 2016. It included stronger privacy principles, enhanced FTC oversight, and a State Department Ombudsperson to handle EU complaints about intelligence activities. Over 5,300 US companies certified.

In July 2020, the CJEU struck down Privacy Shield in Schrems II (Case C-311/18). US surveillance programs -- particularly Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 -- allowed bulk data collection exceeding what was "strictly necessary" under EU law. The Ombudsperson was not sufficiently independent and had no binding authority over intelligence agencies.

Negotiations Leading to the DPF (2020 to 2023)

After Schrems II, organizations relied primarily on Standard Contractual Clauses combined with Transfer Impact Assessments. EU-US negotiations began almost immediately.

In March 2022, President Biden and Commission President von der Leyen announced an agreement in principle. On October 7, 2022, President Biden signed Executive Order 14086 ("Enhancing Safeguards for United States Signals Intelligence Activities"), creating the substantive legal changes the new framework required.

The Commission published its draft adequacy decision in December 2022. The EDPB issued its opinion in February 2023, acknowledging improvements while raising concerns. The final adequacy decision was adopted on July 10, 2023.

How the DPF Works

The DPF has two complementary parts: self-certification by US companies and binding US government commitments on intelligence activities.

The Certification Process

US companies join the DPF by self-certifying through the International Trade Administration (ITA) at the Department of Commerce. Certification is voluntary but creates legally binding obligations once made.

To certify, an organization must:

1. Confirm it is subject to FTC or Department of Transportation (DOT) enforcement jurisdiction
2. Develop a privacy policy conforming to the DPF Principles
3. Identify an independent recourse mechanism for handling individual complaints
4. Pay the applicable annual fee based on annual revenue
5. Submit its certification through the Data Privacy Framework website

More than 2,800 organizations hold active certifications as of 2026. The ITA maintains a public list of certified organizations that EU data exporters should verify before any transfer.

The DPF Principles

Certified organizations must comply with privacy principles that mirror core GDPR concepts:

• Notice: Inform individuals about data collection purposes, practices, and rights
• Choice: Allow individuals to opt out of materially different uses or third-party disclosures
• Accountability for Onward Transfer: Protect data shared with third parties through contracts requiring equivalent protections
• Security: Implement reasonable and appropriate measures against loss, misuse, and unauthorized access
• Data Integrity and Purpose Limitation: Limit personal data to what is relevant for the stated purpose
• Access: Allow individuals to access, correct, or delete their personal data
• Recourse, Enforcement, and Liability: Maintain robust compliance mechanisms and remedies

Enforcement

The FTC is the primary enforcement body. Companies that fail to uphold DPF commitments face enforcement under Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. The Department of Commerce monitors compliance, conducts spot-checks, and can remove non-compliant organizations from the certified list.

Executive Order 14086: The Legal Foundation

Executive Order 14086 directly addressed the two deficiencies the CJEU identified in Schrems II: the absence of proportionality constraints on US intelligence collection and the lack of an independent redress mechanism.

Restrictions on Intelligence Collection

The order limits signals intelligence collection to 12 defined national security objectives, including counterterrorism, counterespionage, and protecting critical infrastructure. For the first time in a US executive order, "proportionality" appears as a binding constraint: activities must be proportionate to the validated intelligence priority and must balance that priority against privacy impacts on all persons, not just US citizens.

Privacy and Civil Liberties Requirements

Each intelligence agency must update its policies to incorporate these safeguards. The Privacy and Civil Liberties Oversight Board (PCLOB) is assigned a central role: reviewing agency procedures for compliance, consulting on appointments of DPRC judges, and conducting an annual review of how redress bodies handle complaints.

Vulnerability: It Is an Executive Order

Because EO 14086 is an executive order rather than a statute, it can be modified or revoked by any president without Congressional approval. This structural vulnerability has been a consistent criticism from privacy advocates and the EDPB. The Trump administration's treatment of the PCLOB in 2025 demonstrated how easily executive-branch components of the framework can be disrupted.

The Data Protection Review Court

The most significant innovation in the DPF is the Data Protection Review Court (DPRC), established by EO 14086 and implemented through Attorney General regulations.

How the DPRC Works

EU individuals who believe their data was unlawfully collected by US intelligence agencies submit a complaint to their national data protection authority. That authority forwards the complaint to the US Civil Liberties Protection Officer (CLPO) at the Office of the Director of National Intelligence, who conducts an initial investigation.

If the complainant is dissatisfied, they can appeal to the DPRC. The court consists of judges appointed by the Attorney General from outside the US government who hold appropriate security clearances. A special advocate is appointed to represent the complainant's interests, since classified proceedings prevent direct participation. The DPRC has binding authority over intelligence agencies -- the key structural improvement over the Privacy Shield Ombudsperson.

What the General Court Found in Latombe

When Case T-553/23 came before the EU General Court, one of Latombe's central arguments was that the DPRC was not a sufficiently independent tribunal. The General Court rejected that argument in its September 3, 2025 judgment, finding the DPRC's composition, oversight mechanisms, and binding powers met the standards required by EU law. The Court also found that US law sufficiently limited bulk data collection and that protections around data security and automated decision-making were substantially equivalent to EU standards.

Ongoing Criticisms

Privacy advocates, including NOYB (led by Max Schrems), continue to argue that the DPRC fails the CJEU's standard for effective judicial protection because complainants receive only a generic confirmation that their review was completed -- no substantive explanation of the outcome. The classified nature of the proceedings is a structural feature, not a fixable oversight.

The UK Extension and the Swiss-US DPF

The DPF does not automatically cover UK or Swiss data transfers. Each required a separate adequacy process.

UK-US Data Bridge (UK Extension)

The UK established the UK Extension to the DPF -- commonly called the UK-US Data Bridge -- in October 2023. US companies with active DPF certifications can opt in to cover UK data transfers through the same ITA portal. The UK extension operates under the UK GDPR rather than the EU GDPR, reflecting the UK's independent data protection regime following Brexit. The extension has its own supplementary rules addressing differences between UK and EU data protection law.

Swiss-US Data Privacy Framework

Switzerland took a separate path. On August 14, 2024, the Swiss Federal Council recognized the adequacy of data protection provided by US companies certified under the DPF. The decision took effect September 15, 2024. The Swiss Federal Council press release confirmed that the United States was added to Switzerland's list of adequate countries, limited to DPF-certified organizations. US companies can extend their DPF certification to cover Swiss transfers through the ITA portal.

The Swiss-US DPF faces the same EO 14086 vulnerability as the EU-US version. Swiss privacy advocates have flagged that the PCLOB disruption in 2025 creates uncertainty about the oversight mechanisms the Swiss adequacy assessment relied upon.

The First Periodic Review (October 2024)

Article 45(3) of the GDPR requires the European Commission to periodically review adequacy decisions. The first DPF review took place in October 2024.

Commission Findings

The European Commission's first review report concluded that the DPF continues to ensure an adequate level of protection. US agencies had implemented EO 14086, the DPRC was operational, and Commerce was actively monitoring certified organizations.

The Commission identified one significant concern: the PCLOB lacked a quorum for much of the review period. The Commission stated that restoring the PCLOB to full operational capacity was important for the framework's continued functioning.

EDPB Findings

The EDPB's first review report acknowledged improvements but called for greater transparency about how the DPRC handles complaints and recommended further clarification of how US intelligence agencies apply the proportionality standard in practice.

Legal Challenges and Risks

The Latombe Case: T-553/23 and the Pending CJEU Appeal C-703/25 P

Philippe Latombe, a Member of the French National Assembly, filed an action in the EU General Court seeking annulment of the Commission's adequacy decision. This was the first direct judicial challenge to the DPF.

On September 3, 2025, the General Court dismissed the action. The Court found the DPRC sufficiently independent and impartial, that US law adequately limited bulk data collection, and that US protections for data security and automated decision-making were substantially equivalent to EU law.

Latombe filed an appeal on October 31, 2025. The case was registered at the Court of Justice as Case C-703/25 P. The CJEU appeal is limited to points of law. No hearing date had been announced as of May 2026. If the CJEU issues a merits ruling against the DPF, it would be the third consecutive invalidation of a transatlantic data transfer framework.

NOYB and the Schrems III Threat

NOYB has not yet filed its own challenge to the DPF but has consistently criticized it. Core arguments: the framework rests on an executive order rather than legislation; the DPRC does not provide transparency to complainants; Section 702 of FISA has not been fundamentally reformed. NOYB monitors the Latombe appeal and PCLOB developments for trigger points that might support a separate action.

The PCLOB Crisis

The PCLOB disruption is the most immediate operational risk to the DPF's underlying safeguards.

On January 27, 2025, President Trump fired three of the five PCLOB board members -- all Democrats -- by one-sentence email, without cause. This eliminated the board's quorum. Two of the removed members, Edward Felten and Travis LeBlanc, filed suit in federal court. On May 21, 2025, a district court ruled their removal unlawful and ordered reinstatement.

The Trump administration appealed. On July 1, 2025, the DC Circuit Court of Appeals stayed the reinstatement order pending appeal, and the case was subsequently deferred pending the Supreme Court's ruling in Trump v. Slaughter (No. 25-332) -- which will determine the constitutional limits of presidential power to remove independent oversight board members. Until that question is resolved, the PCLOB cannot function at full capacity.

The practical consequences for the DPF: the PCLOB cannot conduct the annual reviews of EO 14086 compliance required by the order itself; its consulting role in DPRC judge appointments is suspended; and both the EDPB and the European Commission have flagged the PCLOB's incapacity as a concern for the framework's ongoing adequacy assessment.

FISA Section 702

Section 702 of FISA authorizes collection of foreign intelligence from non-US persons outside the United States. The two-year reauthorization enacted in April 2024 (the Reforming Intelligence and Securing America Act, RISAA) lapsed in April 2026. Congress passed a 45-day short-term extension, keeping Section 702 operational through mid-June 2026, while debate on longer-term reauthorization continues.

The RISAA expansion of "electronic communications service provider" definitions drew criticism from European privacy advocates, who argued it widened the scope of companies subject to surveillance obligations. The outcome of the 2026 reauthorization debate will be watched closely by the Commission and EDPB in assessing whether the DPF's adequacy conditions remain satisfied.

If the DPF Falls: The SCC Fallback

Given that Safe Harbor and Privacy Shield were both invalidated, organizations should maintain a contingency plan.

Standard Contractual Clauses (SCCs) are the primary fallback. SCCs are standard contractual terms approved by the European Commission under Article 46 GDPR. They bind the US data importer to EU-equivalent protections and give data subjects contractual rights directly enforceable against the importer.

SCCs do not make an EU-to-US transfer automatically lawful -- the exporter must also conduct a Transfer Impact Assessment (TIA) evaluating whether US law and practice allow the importer to comply with the SCCs in practice. After Schrems II, organizations developed TIA methodologies; most of those assessments remain valid today and can be updated if the DPF falls.

Other Article 46 transfer mechanisms include binding corporate rules (BCRs) for intra-group transfers, approved codes of conduct, and narrow Article 49 derogations (consent, contract performance, important reasons of public interest). Derogations are not suitable as a routine transfer basis.

Organizations that maintained SCCs alongside their DPF reliance would be able to continue transfers with minimal disruption if the DPF is invalidated. Those relying solely on the DPF would face a more significant transition, as anyone who scrambled to execute SCC addenda in the weeks after Schrems II can attest.

How the DPF Differs from Privacy Shield

Intelligence collection limits: Privacy Shield relied on Presidential Policy Directive 28 (PPD-28), which called for bulk collection to be "as tailored as feasible." The CJEU found this too permissive. EO 14086 replaces it with a binding proportionality requirement and 12 enumerated permissible objectives.

Redress mechanism: Privacy Shield's State Department Ombudsperson lacked independence from the executive branch and had no binding authority. The DPRC is structurally more independent (judges from outside government) and its decisions bind intelligence agencies.

Oversight: The PCLOB's role is explicitly defined under EO 14086 with specific review and reporting obligations -- though as 2025 demonstrated, executive-branch oversight components are vulnerable to political disruption.

Practical Guidance for Organizations

For US Companies Receiving EU Data

Verify your organization is subject to FTC or DOT jurisdiction. Complete or renew self-certification through dataprivacyframework.gov. Update your public privacy policy to reflect all DPF Principles. Designate an independent dispute resolution body. Implement internal procedures for data access requests and complaints. Re-certify annually -- lapsed certification invalidates the transfer basis for data received during the gap.

If you also receive UK data, opt in to the UK Extension through the ITA portal. If you receive Swiss data, opt in to the Swiss-US DPF extension.

For EU Organizations Transferring Data

Before any transfer, verify the recipient holds an active DPF certification on the official participant list. Certification status changes; spot-check before significant new data flows begin. Document the adequacy decision as the legal basis in your Records of Processing Activities under Article 30 GDPR.

Monitor the recipient's annual renewal date. A lapsed certification means the adequacy basis no longer applies to new transfers.

Contingency Planning

Given the history of invalidated frameworks and the pending CJEU appeal in Case C-703/25 P, prudent organizations should:

• Execute SCCs in parallel with DPF certification for high-volume or sensitive data flows
• Maintain a Transfer Impact Assessment that can be activated if the DPF is struck down
• Document a transition plan identifying which flows rely on the DPF and how each would be covered under SCCs
• Monitor CJEU developments in C-703/25 P and the Supreme Court's decision in Trump v. Slaughter

This is general legal information, not legal advice. Organizations handling cross-border data transfers should consult qualified counsel for advice specific to their circumstances.