The European Commission adopted an adequacy decision for the United States in July 2023, completing the implementation of the Trans-Atlantic Data Privacy Framework (DPF). This is the third attempt at establishing a legal mechanism for EU-US data transfers, after the Court of Justice invalidated both the Safe Harbor and Privacy Shield frameworks.

What Is the DPF?

The framework consists of two components. On the European side, the Commission's adequacy decision effectively greenlights data transfers to qualifying US organizations. On the American side, Executive Order 14086 imposes rules limiting intelligence agency surveillance of data from EU/EEA countries and establishes a redress mechanism for affected individuals.

The DPF is not universal. European organizations can rely on the adequacy decision only when transferring data to US companies that self-certify adherence to the framework's principles with the Department of Commerce. Transfers to non-certified organizations still require standard contractual clauses (SCCs) or other safeguards.

The History: Schrems I and II

The 2013 Snowden revelations triggered a decade-long legal battle over EU-US data transfers. Austrian privacy advocate Max Schrems challenged transatlantic data transfers, arguing that US surveillance exposed European data to unacceptable risks. The Court of Justice agreed twice, invalidating the Safe Harbor in Schrems I and the Privacy Shield in Schrems II.

These rulings established two important principles: adequacy decisions must reflect genuine data protection standards rather than political convenience, and organizations may need additional safeguards beyond SCCs when transferring data to countries with extensive surveillance capabilities.

Impact of Schrems II

After the 2020 ruling, many companies continued transferring data to the US without adequate safeguards. Privacy organizations responded by filing complaints that led national authorities to take enforcement action against US-based analytics and advertising tools in France, Italy, Austria, and other key markets.

Will the DPF Survive Legal Challenge?

Privacy advocates have already announced plans to challenge the adequacy decision before the Court of Justice. The framework represents an improvement over the Privacy Shield, but questions remain about whether the executive order's limitations on surveillance are sufficient.

The European Parliament issued a negative opinion on the framework, which could influence the court's stance. Geopolitical factors, including the strategic EU-US relationship, may push in the other direction. If the DPF is invalidated in a potential "Schrems III" ruling, European businesses will once again face fundamental legal uncertainty around their use of US-based cloud services and data processors.

Organizations should maintain contingency plans for their US data transfers, including evaluating European-hosted alternatives for critical services.