Updated: July 2026
The EU-US Data Privacy Framework (DPF) is a self-certification scheme that lets US companies legally receive personal data from the European Union without extra safeguards. It started in July 2023 and replaced the Privacy Shield, which the courts struck down. Certified US companies are treated as giving protection that is essentially equivalent to EU law.
The framework gives US companies legal certainty for transatlantic business while keeping strong data protection standards. You can self-certify with the Department of Commerce, keep your certification current, and use it for EU data transfers.
• The EU-US Data Privacy Framework (DPF) lets certified US companies legally receive EU personal data without extra safeguards.
• It started on 10 July 2023 and replaced the Privacy Shield, which the courts struck down.
• You self-certify with the US Department of Commerce, then renew every year to keep your benefits.
• Only companies on the official Data Privacy Framework List get the adequacy protection, so working with a certified vendor does not cover you.
• You still need accountability for onward transfers, and the FTC can enforce your DPF commitments under Section 5.
The Data Privacy Framework has three linked parts:
• EU-US Data Privacy Framework: covers transfers from EU member states.
• UK Extension: covers transfers from the United Kingdom and Gibraltar.
• Swiss-US DPF: covers transfers from Switzerland under the Swiss FADP.
The European Commission adopted the adequacy decision on 10 July 2023, after deciding that certified US companies meet EU data protection standards. The Department of Commerce runs the framework through its International Trade Administration and keeps the public Data Privacy Framework List of members.
The framework answers the problems raised in the Schrems II ruling, which cancelled the Privacy Shield in 2020. The main legal points are:
• Executive Order 14086: sets up stronger limits on US intelligence activities.
• Data Protection Review Court: lets EU individuals challenge how the US government accesses their data.
• Essential equivalence standard: makes sure the DPF Principles match EU law.
This structure convinced the European Commission that certified US companies give adequate protection, so no extra transfer safeguards are needed.
The framework gives clear benefits:
• Legal certainty: Eliminates transfer assessment requirements that burden Standard Contractual Clauses
• Market access: Enables continued operations in EU markets worth over $7 trillion in GDP
• Competitive advantage: Simplifies vendor selection for EU companies seeking US service providers
• Risk mitigation: Avoids GDPR penalties that can reach 4% of global annual revenue
The European Data Protection Board says any type of personal data can go to DPF-certified companies without further authorisation, which cuts compliance work compared with other options.
The Federal Trade Commission can enforce DPF obligations under Section 5, and has said it will enforce them strongly.
| Method | Implementation Time | Legal Certainty | Ongoing Requirements | Cost Level |
| Data Privacy Framework | 2-4 weeks | High (adequacy decision) | Annual re-certification | Medium |
| Standard Contractual Clauses | 1-2 weeks | Medium (requires assessments) | Transfer impact assessments | Low |
| Binding Corporate Rules | 12-18 months | High | Periodic audits | High |
| Consent/Derogations | Immediate | Low (limited scope) | Per-transfer basis | Low |
The Data Privacy Framework offers the optimal balance of implementation speed, legal certainty, and compliance sustainability for most US companies handling EU personal data transfers.
Before you start, check what your organisation needs:
• Data audit: Identify all EU personal data your company receives or processes
• Transfer mapping: Document data flows from EU entities to your US operations
• Category assessment: Determine if you need HR data coverage or other specific categories
• Resource evaluation: Ensure you can commit to annual recertification and ongoing compliance
Preparation checklist:
• Legal review of current data processing activities
• Privacy policy assessment and potential updates
• Independent recourse mechanism selection
• Internal compliance team designation
Complete the process through the Department of Commerce:
• Submit self-certification: Commit to DPF Principles through the official portal
• Privacy policy updates: Publish policies reflecting Data Privacy Framework commitments
• Recourse mechanism: Designate independent dispute resolution procedures
• Public listing: Appear on the official Data Privacy Framework List for verification
The DPF principles you must follow:
• Notice and transparency for data subjects
• Choice mechanisms for data processing
• Accountability for onward transfer to third parties
• Security safeguards and data integrity
• Access rights for EU individuals
• Recourse and enforcement procedures
Ongoing duties keep your benefits:
• Annual re-certification: Submit renewal before expiration to maintain Data Privacy Framework List status
• Policy maintenance: Update privacy practices to reflect any framework modifications
• Vendor management: Ensure onward transfers comply with accountability requirements
• Dispute resolution: Respond to individual complaints through designated recourse mechanisms
Things to track:
• Data subject request response times
• Security incident documentation
• Vendor contract compliance audits
• Training completion rates for relevant staff
• Mistake 1: thinking you’re covered without your own certification. Working with certified vendors does not cover you. Only companies on the Data Privacy Framework List get the adequacy benefits
• Mistake 2: missing annual re-certification. If your certification lapses, you lose protection straight away and must switch to another transfer mechanism.
• Mistake 3: weak onward transfer protection. The DPF Principles need accountability for third-party transfers, so your subprocessors must give equal protection through contracts.
Tip: set automatic reminders for re-certification deadlines and keep legal counsel who know transatlantic data rules. Regular audits catch problems before they affect your certification.
The EU-US Data Privacy Framework gives US companies the simplest route to legal EU data transfers under GDPR. The main steps are Department of Commerce self-certification, annual renewal, and following the DPF Principles.
Success factors:
• Complete data transfer audits before certification
• Maintain accurate Data Privacy Framework List status
• Implement strong vendor accountability for onward transfers
• Establish systematic compliance monitoring and renewal processes
• Leverage the European Commission’s adequacy decision for competitive advantage
The framework’s stronger safeguards and the Data Protection Review Court address the old Privacy Shield concerns and give protection that is essentially equivalent to EU law.
Next step: review your current EU data transfer practices and, if you handle European personal data, start the Department of Commerce self-certification. Talk to qualified legal counsel to get implementation and GDPR compliance right.
About the Author
Ana Mishova
Sales and Business Development Consultant — GDPRLocal
Ana focuses on helping organisations understand their compliance obligations and find the right data protection solutions. At GDPRLocal she works closely with businesses of all sizes, making GDPR and privacy compliance clear, practical, and accessible.
Yes. You can use other mechanisms like Standard Contractual Clauses, but these need extra transfer impact assessments and possibly more measures under EU law.
You must stop claiming you take part, but you still have to apply the DPF Principles to the personal data you already hold. Put another transfer mechanism in place before removal so your data flows stay legal.
The court gives EU individuals a way to challenge intelligence-related data access. It strengthens the framework’s legal base and does not usually affect everyday business operations.
No. You can self-certify for each one separately based on your needs. The UK Extension does need EU-US DPF participation first, though.
The FTC can investigate and act under Section 5 for unfair or deceptive practices. This includes consent orders and penalties for companies that lie about compliance or break their DPF commitments.