Last updated 6 months ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
The flow of data across borders drives the global economy, particularly between the United States and European Union. This relationship underpins a massive economic partnership valued at over $7.1 trillion annually. However, this critical exchange has been plagued by years of legal uncertainty.
The conflict stems from different worldviews: the EU treats data privacy as a human right while the U.S. legal system provides for government surveillance in the name of national security.
The EU-US Data Privacy Framework represents the latest and most ambitious attempt to build a stable legal bridge over these troubled waters. Effective July 10, 2023, the DPF allows lawful transfer of personal data from the EU and European Economic Area to U.S. companies that commit to upholding specific privacy principles.
The U.S. Department of Commerce administers this framework, aiming to provide legal certainty that businesses crave while addressing stringent privacy concerns repeatedly raised by European courts. The DPF represents the third major iteration of a transatlantic data transfer agreement, following two predecessors that were both invalidated by the EU’s highest court.
The Troubled History of EU-US Data Transfers
The Data Privacy Framework builds on the failures of its predecessors: the International Safe Harbor and EU-US Privacy Shield. Both were invalidated by the Court of Justice of the European Union, creating significant disruption for thousands of businesses. Understanding this history is essential to grasping why the DPF was created and what legal challenges it still faces.
The Fundamental Legal Divide
At the conflict’s heart lies a deep philosophical and legal divergence. The European Union’s General Data Protection Regulation establishes strict rules for how organizations can collect, use, and manage personal data of EU individuals.
A core GDPR tenet, found in Article 45, states that personal data can only be transferred outside the EU to a “third country” if that country provides data protection “essentially equivalent” to that guaranteed within the EU. This “adequacy decision,” made by the European Commission, is the gold standard for international data transfers.
On the other side, the United States lacks a single, overarching federal privacy law. Instead, it has a patchwork of sector-specific laws. More critically for transatlantic data flows, U.S. law includes powerful surveillance authorities granted to intelligence agencies for national security purposes.
Chief among these is Section 702 of the Foreign Intelligence Surveillance Act, which permits the U.S. government to collect communications of non-Americans located outside the country without individualized warrants. This authority, along with others like Executive Order 12333, creates direct clashes with GDPR requirements.
The Safe Harbor Collapse
The first attempt to bridge this divide was the International Safe Harbor Privacy Principles, established in 2000. It allowed U.S. companies to self-certify that they met certain privacy standards, enabling them to receive personal data from the EU.
This system operated for 15 years until the Court of Justice invalidated it in a landmark 2015 case, commonly known as Schrems I. Austrian privacy advocate Maximilian Schrems argued that revelations by former NSA contractor Edward Snowden demonstrated that U.S. surveillance practices meant his personal data, transferred to the U.S. by Facebook, was not adequately protected.
The CJEU agreed, finding that U.S. intelligence agency powers compromised the essence of fundamental rights to privacy and data protection.
Privacy Shield’s Brief Life
In response, the U.S. and EU negotiated the EU-US Privacy Shield, which became operational in 2016. It was designed to be more robust, with stronger obligations on companies and a new redress mechanism for EU individuals through an “Ombudsperson” within the U.S. State Department.
However, because underlying U.S. surveillance laws hadn’t changed, Privacy Shield was immediately challenged. This led to the Schrems II ruling in July 2020, which invalidated Privacy Shield for largely the same reasons that struck down Safe Harbor.
The court’s decision rested on two critical findings:
Lack of Proportionality: The CJEU found that U.S. surveillance programs, particularly those operating under FISA 702, were not limited to what is “strictly necessary and proportionate” as required by the EU’s Charter of Fundamental Rights. The court viewed these programs as allowing bulk data collection without sufficient safeguards.
Lack of Effective Redress: The court determined that the Ombudsperson mechanism was not adequate remedy for EU citizens. It was not a tribunal or court, it lacked true independence from the U.S. executive branch, and it could not issue binding decisions on intelligence agencies.
Privacy Shield’s invalidation plunged thousands of businesses into legal uncertainty, forcing them to rely on more complex and administratively burdensome alternatives like Standard Contractual Clauses.
Evolution of EU-US Data Transfer Frameworks
| Framework | Years Active | Legal Basis (U.S. Side) | Key Redress Mechanism | Primary Reason for CJEU Invalidation |
|---|---|---|---|---|
| International Safe Harbor | 2000–2015 | Commerce Department Program; Self-certification | Informal dispute resolution; FTC referral | U.S. surveillance laws allowed disproportionate access to EU data (Schrems I) |
| EU-US Privacy Shield | 2016–2020 | Commerce Department Program; Self-certification | Privacy Shield Ombudsperson within State Department | FISA 702 not “necessary and proportionate”; Ombudsperson not truly independent (Schrems II) |
| EU-US Data Privacy Framework | 2023–Present | Presidential Executive Order 14086; Commerce Department Program | Two-tier system: CLPO investigation followed by appeal to Data Protection Review Court | Not yet challenged, but critics argue it fails to resolve same underlying issues |
The U.S. Government’s Response
Determined to restore a stable mechanism for data flows, the U.S. government and European Commission entered intense negotiations to create a framework that could withstand CJEU scrutiny. The result was the EU-US Data Privacy Framework, built upon a Presidential Executive Order introducing new safeguards and a novel redress mechanism for EU individuals.
Executive Order 14086: New Safeguards
The legal cornerstone of the U.S. commitment to the DPF is Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities,” signed by President Joe Biden on October 7, 2022. This order was meticulously crafted to address specific concerns raised by the CJEU in Schrems II.
Its central provision introduces new, binding safeguards requiring U.S. signals intelligence activities to be conducted only in pursuit of defined national security objectives and limited to what is “necessary and proportionate” to advance those objectives. The use of this specific terminology was a direct attempt to align U.S. policy with EU law language and CJEU rulings.
The Executive Order lists 12 legitimate objectives for signals intelligence, such as countering terrorism and cybersecurity threats, and several prohibited objectives, such as suppressing criticism or disadvantaging individuals based on ethnicity, race, gender, or religion.
Two-Tier Redress Mechanism
To address the CJEU’s finding that Privacy Shield lacked effective redress mechanisms, EO 14086 established a new, two-layer system for individuals in “qualifying states” – a designation granted to the EU – to seek remedy for alleged violations of their privacy rights by U.S. intelligence activities.
Layer 1: Civil Liberties Protection Officer: The first step involves a complaint being forwarded to the Civil Liberties Protection Officer, an official within the Office of the Director of National Intelligence. The CLPO conducts independent investigations to determine whether violations of U.S. law, including new safeguards in EO 14086, have occurred. If violations are found, the CLPO has authority to issue binding decisions and determine appropriate remediation.
Layer 2: Data Protection Review Court: If individuals are not satisfied with CLPO findings, they can appeal decisions to the newly created Data Protection Review Court. The DPRC functions as an independent and impartial body with power to issue binding decisions, including ordering intelligence agencies to delete improperly collected data.
Redress Pathways for EU Individuals
| Commercial Complaints (Against DPF-certified company) | Surveillance Complaints (Against U.S. Government) |
|---|---|
| Step 1: Complaint to the Company (45 days to respond) | Step 1: Complaint via EU Data Protection Authority |
| Step 2: Independent Dispute Resolution (free of charge) | Step 2: Investigation by ODNI Civil Liberties Protection Officer |
| Step 3: Complaint to EU DPA (referral to Commerce/FTC) | Step 3: Appeal to Data Protection Review Court |
| Step 4: Binding Arbitration (last resort) | Step 4: Binding Decision & Notification |
The Data Protection Review Court Innovation
The creation of the Data Protection Review Court is arguably the DPF’s most significant innovation. It was established by the U.S. Attorney General through regulation and is designed to function as an independent body to review CLPO decisions.
The entire redress mechanism, including the DPRC, is a creation of the Executive Branch, not the Judicial Branch. This structure was deliberate. A key barrier for non-U.S. citizens seeking to challenge surveillance in regular U.S. courts is the constitutional requirement of “standing,” which demands proof of specific, personal injury.
It’s nearly impossible for individuals to prove they were harmed by secret surveillance programs they were never officially notified about. By creating a redress system within the Executive Branch, the administration bypassed this standing requirement.
However, this solution is the source of potent criticism: a court created and housed within the same government branch that conducts surveillance is seen by many Europeans as lacking structural independence necessary to be truly impartial.
To bolster the DPRC’s independence, its judges are appointed by the Attorney General from outside the U.S. government, must have relevant experience in privacy and national security law, and are granted protections against removal except for causes like misconduct.
Because DPRC proceedings are classified, complainants cannot participate directly. To address this, the framework introduces the “Special Advocate” – an experienced attorney with security clearance appointed to advocate for complainant interests before the court. However, the Special Advocate cannot communicate with complainants about classified proceedings substance, which critics argue undermines representation effectiveness.
Commerce Department’s Administrative Role
While the Executive Order and Department of Justice established the DPF’s national security safeguards, day-to-day operation of the program’s commercial aspects falls on the U.S. Department of Commerce. Its role is best understood as registrar and facilitator, managing public-facing aspects and serving as the entry point for U.S. businesses seeking to participate.
International Trade Administration as Program Manager
The Data Privacy Framework program is administered by the International Trade Administration, an agency within Commerce. The ITA’s DPF team manages the certification system, provides guidance and resources to participating organizations, and liaises with European data protection authorities.
It’s crucial to distinguish this administrative role from enforcement. While ITA manages the participant list, authority to enforce DPF Principles against non-compliant companies lies with the Federal Trade Commission and Department of Transportation.
A company’s public commitment to the DPF is legally binding, and failure to adhere to promises can be treated as deceptive acts under Section 5 of the FTC Act.
The Self-Certification Process
Participation in the DPF program is voluntary for U.S. companies. However, once an organization self-certifies compliance, adherence to DPF Principles becomes compulsory and legally enforceable.
To be eligible, U.S. organizations must be subject to FTC or DOT jurisdiction. This scope limitation means certain key sectors – banking, insurance, telecommunications common carriers, and most non-profit organizations – are not eligible to join the DPF.
The self-certification process is managed through the official DPF website, maintained by ITA. Organizations must:
- Confirm eligibility
- Develop DPF Principles-compliant privacy policies and make them publicly available
- Identify independent recourse mechanisms to handle individual complaints at no cost
- Complete online self-certification forms, providing required information to Commerce and paying annual administrative fees
A notable launch feature was a “grandfathering” provision for companies that maintained Privacy Shield certification. These organizations were automatically transitioned into the DPF without needing new initial certification. However, this convenience came with potential compliance traps: companies were required to update privacy policies to reflect new DPF Principles by October 10, 2023, and ensure their independent dispute resolution providers were still active and paid for.
The Data Privacy Framework List
A central Commerce function is maintaining and making publicly available the authoritative Data Privacy Framework List. This serves as the definitive public record of all U.S. organizations with active self-certification.
For European businesses, this list is the primary tool for verifying that U.S. partners are legitimate DPF participants before transferring personal data.
ITA is responsible for keeping this list accurate and up-to-date. It removes organizations that voluntarily withdraw, fail to complete annual re-certification, or are found persistently non-compliant with principles. To ensure transparency, ITA also maintains public records of all organizations removed from the list, along with removal reasons.
Organizations removed from the list must immediately cease making DPF participation claims but remain obligated to apply DPF Principles to all personal data received while participants, for as long as they retain that data.
Complaint Handling and Annual Recertification
Commerce plays a role in the commercial complaint process. If EU individuals file complaints with their national Data Protection Authorities concerning DPF participants, DPAs may refer complaints to ITA. ITA has committed to receive, review, and use best efforts to facilitate resolutions between individuals and companies.
To remain on the Data Privacy Framework List, every participating organization must re-certify compliance annually. This process requires companies to reaffirm commitment to DPF Principles and pay annual fees, ensuring participation is an ongoing commitment rather than one-time registration.
Requirements and Benefits for U.S. Businesses
For U.S. companies doing business with Europe, the Data Privacy Framework offers a potentially streamlined path to compliance with EU strict data transfer rules. Participation requires adherence to core privacy principles, but benefits can include significant reductions in administrative complexity and enhanced trust with European partners.
The Seven Core DPF Principles
At the DPF’s heart are seven core privacy principles, supplemented by sixteen additional principles, that participating organizations must uphold. These principles are substantively the same as those under former Privacy Shield.
The primary value proposition for businesses is not that it offers fundamentally different or stronger commercial privacy rules than other mechanisms, but that it offers a much simpler compliance path. It effectively shifts the immense burden of assessing U.S. surveillance law from thousands of individual companies to the European Commission, which has pre-approved the entire framework through its adequacy decision.
The Seven Core Principles of the Data Privacy Framework
| Principle | Core Requirement for U.S. Companies |
|---|---|
| 1. Notice | Provide clear, accessible information about data types collected, processing purposes, DPF participation, liability in onward transfers, individual rights, and available recourse mechanisms |
| 2. Choice | Offer individuals opportunities to opt out of disclosure to third-party controllers and use for materially different purposes. For sensitive information, require affirmative opt-in consent |
| 3. Accountability for Onward Transfer | Remain liable when transferring data to third parties acting as agents. Must have contracts limiting processing purpose and requiring same protection level as Principles |
| 4. Security | Take “reasonable and appropriate” measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction |
| 5. Data Integrity and Purpose Limitation | Limit personal data to what’s relevant for processing purposes. Take reasonable steps to ensure data is reliable, accurate, complete, and current |
| 6. Access | Provide individuals access to personal information held about them. Allow correction, amendment, or deletion of inaccurate information or information processed in violation of Principles |
| 7. Recourse, Enforcement, and Liability | Provide robust complaint mechanisms, including free and independent recourse. Cooperate with Commerce and commit to binding arbitration as last resort |
Business Benefits of DPF Certification
For eligible U.S. companies, joining the DPF offers several key advantages:
Legal Certainty and Predictability: The DPF’s primary benefit is that it’s based on an adequacy decision from the European Commission. This means transfers to DPF-certified companies are deemed “adequate” under GDPR, providing clear and reliable legal basis for transatlantic data flows and restoring predictability lost after Schrems II.
Reduced Administrative Burden: Compared to the main alternative, Standard Contractual Clauses, the DPF can significantly reduce compliance overhead. It eliminates the need to negotiate and execute SCCs with every European customer or partner and removes requirements for companies to conduct their own complex and legally risky Transfer Impact Assessments of U.S. surveillance law.
This makes it particularly attractive and affordable for small and medium-sized businesses.
Commercial Advantage: DPF certification can be a competitive differentiator. European partners may prefer working with DPF-certified U.S. companies because it simplifies their own compliance obligations. Participation signals serious commitment to protecting personal data in line with European standards, which can build trust with customers and regulators.
Comparing DPF to Standard Contractual Clauses
While the DPF provides a streamlined path, SCCs remain valid and widely used mechanisms for data transfers. The key difference lies in responsibility allocation.
With the DPF, the European Commission has done the heavy lifting by issuing a blanket adequacy decision. Certified U.S. companies and their EU partners can rely on this decision as their legal basis for transfer.
With SCCs, responsibility falls on data exporters in the EU. They must not only sign contracts but also conduct Transfer Impact Assessments to assess whether U.S. law and practice could prevent U.S. data importers from upholding contractual promises. If risks are identified, they must implement “supplementary measures,” such as strong encryption, to mitigate them.
Even for companies continuing to use SCCs, the DPF provides benefits. Safeguards established under EO 14086 apply to all data transfers to the U.S., regardless of mechanism used. Companies can now reference the U.S. government’s new commitments and the DPRC in their TIAs to help justify conclusions that data will be adequately protected.
However, there’s a critical limitation businesses must understand, particularly in cloud computing context. DPF certification of major U.S. cloud service providers doesn’t automatically cover personal data of their European clients stored on their platforms. European companies remain “data controllers” and are ultimately responsible for ensuring valid transfer mechanisms are in place.
While cloud providers’ DPF status simplifies the TIA process, it doesn’t eliminate needs for European clients to have their own legal basis for transfer, which often still involves signing SCCs with providers. This nuance complicates the DPF’s promise of simplicity in the cloud era.
Ongoing Controversies and Criticisms
Despite celebrations from business groups and governments on both sides of the Atlantic, the Data Privacy Framework was met with immediate and forceful criticism from privacy advocates. They argue that the DPF is merely a political solution that papers over the same fundamental legal flaws that doomed its predecessors, making it a “sitting duck” for a third invalidation by the CJEU.
Core Criticism: Unchanged U.S. Surveillance Law
The central argument against the DPF is that it does nothing to change underlying U.S. statutes that permit broad government surveillance. FISA Section 702, the law at the heart of the Schrems II ruling, remains fully intact and operational.
Critics contend that a Presidential Executive Order, which is what the DPF’s safeguards are based on, cannot override a law passed by Congress and is therefore an insufficient legal foundation.
Furthermore, there’s strong belief that U.S. and EU definitions of “necessary and proportionate” remain fundamentally misaligned. While the DPF adopts EU language, the Executive Order still explicitly allows for bulk data collection under certain circumstances – a practice the CJEU has consistently found disproportionate.
RISAA: Congressional Expansion of Surveillance
The DPF’s greatest weakness may be a fundamental contradiction in its timing and substance. While the U.S. Executive Branch was negotiating a framework based on assurances of limiting surveillance, the Legislative Branch was moving in the opposite direction.
In April 2024, Congress passed the Reforming Intelligence and Securing America Act, which reauthorized FISA Section 702 for two years. Critically, RISAA did not reform Section 702 to address European concerns; it expanded its reach.
The act broadened the definition of an “electronic communication service provider,” potentially forcing a wider range of entities – including data centers, cloud providers, and even commercial landlords with access to communications equipment – to assist with government surveillance.
It also codified and expanded a program for suspicionless vetting of non-U.S. persons applying to travel to the U.S. This legislative action, taken by Congress after the DPF was agreed upon, directly undermines diplomatic assurances given to the European Commission and provides powerful legal ammunition for future court challenges.
Critiques of the Redress Mechanism
The new two-tier redress mechanism, particularly the DPRC, has faced intense scrutiny. Critics argue it fails to provide truly independent and effective judicial remedy for several reasons:
Lack of Structural Independence: Because the DPRC is housed within the Department of Justice, an Executive Branch agency, it’s not seen as structurally separate from the intelligence agencies it’s meant to oversee.
An Opaque and Ineffective Process: The entire process is largely inaccessible to complainants. Individuals are generally never notified that they’re under surveillance, making it almost impossible to know they have reason to complain. If they do complain, they’re excluded from proceedings and receive generic final notifications that neither confirm nor deny surveillance.
Limited Remediation: Any remedy ordered by the DPRC is narrowly tailored to individual complainants and is not designed to address broader, systemic violations of privacy rights.
The Inevitability of Schrems III
Given these criticisms, a third legal challenge to the DPF is widely considered inevitable. Max Schrems’s privacy organization, NOYB (“None of Your Business”), has publicly confirmed its intention to bring a Schrems III case before the CJEU.
Many legal experts and privacy advocates believe the framework is fundamentally flawed and will ultimately meet the same fate as Safe Harbor and Privacy Shield.
Adding to this legal fragility is political uncertainty. Because the DPF’s core safeguards are based on a Presidential Executive Order, they could be altered or even rescinded by a future U.S. administration without any Congressional action, making the framework a potentially temporary solution dependent on political climate.
This recurring cycle of legal instability is fueling searches for more durable solutions. There’s growing interest on both sides of the Atlantic in Privacy-Enhancing Technologies, such as federated learning and differential privacy, which could allow for valuable data analysis without requiring transfer of raw personal data, potentially offering technological paths around this persistent legal impasse.
Current Status and Future Outlook
As of 2024, the Data Privacy Framework continues to operate, with thousands of U.S. companies having self-certified their participation. The European Commission conducted its first annual review of the framework in 2024, as required by the adequacy decision.
However, the framework operates under a cloud of uncertainty. Privacy advocates continue to gather evidence for potential legal challenges, while businesses struggle with the question of whether to invest heavily in DPF compliance or maintain backup plans using Standard Contractual Clauses.
The Commerce Department continues to refine its administration of the program, issuing guidance documents and maintaining the certification list. However, the fundamental tensions that led to the downfall of Safe Harbor and Privacy Shield remain unresolved.
The DPF represents an ambitious attempt to create legal certainty for transatlantic data flows while balancing competing national security and privacy interests. Whether it will prove more durable than its predecessors depends largely on whether the compromises embedded in its structure can withstand the scrutiny of European courts that have twice before found such arrangements inadequate.
For U.S. businesses operating in the global digital economy, the DPF provides a valuable but potentially temporary solution. Companies must weigh the benefits of simplified compliance against the risks of investing in a framework that may face the same legal challenges that toppled its predecessors.
The Commerce Department’s role as administrator places it at the center of this ongoing transatlantic struggle over data governance, privacy rights, and national security – a position that reflects the broader challenges facing governments as they attempt to regulate the borderless digital economy while maintaining their sovereign prerogatives.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.