For any European business using US cloud, SaaS or analytics services, transatlantic data transfers are unavoidable — and legally fraught, given that two previous frameworks were struck down. The EU–US Data Privacy Framework is the current route, and understanding it is an important part of transfer-related GDPR compliance.
This guide explains what the DPF is, how certification works, its principles and redress mechanism, the UK extension, how it compares to SCCs, and whether to rely on it.
What the DPF is
The EU–US Data Privacy Framework (DPF) is a mechanism that allows personal data to flow from the EU to the United States without additional safeguards — provided the US recipient is certified under it. Adopted in 2023, it rests on an adequacy decision by the European Commission for DPF-certified US organisations.
In plain terms: if your US partner is on the DPF list, you can transfer EU personal data to them much as you would to a company in an adequate country, without needing Standard Contractual Clauses for that transfer.
Why it exists
EU–US data flows are enormous, but two previous frameworks — Safe Harbor and Privacy Shield — were struck down by EU courts over concerns about US surveillance and redress. The DPF is the third attempt to provide a stable, lawful route, built to address the issues that sank its predecessors.
It matters because so many cloud, SaaS and analytics services are US-based, making transatlantic transfers a daily reality for European businesses.
Free resource
The Ultimate Guide to GDPR
Navigate US data transfers with confidence across the DPF and SCCs.
How certification works
The DPF is a self-certification scheme. A US organisation commits to a set of privacy principles, publicly declares its adherence, and registers with the US Department of Commerce, which maintains the official Data Privacy Framework List.
Certification is not a one-off badge: organisations must re-certify annually and actually live up to their commitments, which are enforceable by the US authorities.
The DPF principles
Certified organisations commit to principles that echo GDPR: notice about data practices, choice over certain uses, accountability for onward transfers, security, data integrity and purpose limitation, access for individuals, and recourse and enforcement.
These give EU individuals a baseline of protection and rights when their data is handled by a certified US company.
Using the DPF for a transfer
To rely on the DPF, you must verify that your specific recipient is certified — and certified for the relevant type of data (the framework distinguishes HR and non-HR data). Check the official DPF List, confirm the certification is active, and that it covers your transfer.
If the recipient is certified and active, you can transfer without SCCs. If not, you fall back to SCCs or another mechanism.
It only covers certified recipients
A crucial limitation: the DPF only legitimises transfers to organisations that are actually certified. It is not a blanket “US is now adequate” decision. Transfers to a non-certified US company — or to one whose certification has lapsed — still need SCCs or another safeguard.
So you cannot assume the DPF covers all your US vendors; you must check each one.
The redress mechanism
A key improvement over Privacy Shield is a strengthened redress mechanism for EU individuals concerned about US intelligence access to their data, including a new Data Protection Review Court. This directly addresses the surveillance and redress concerns that invalidated the previous framework.
Whether it fully satisfies those concerns is debated, which feeds into the question of the DPF’s long-term stability.
UK and Swiss extensions
The framework has extensions: the UK Extension (the “UK–US Data Bridge”) lets UK data flow to certified US organisations, and a Swiss–US framework does the same for Switzerland. A US organisation must specifically opt into these extensions for them to apply.
So if you transfer from the UK, check that the recipient is certified under the UK Extension, not just the EU framework.
DPF vs SCCs
Where it applies, the DPF is simpler than SCCs: no clauses to sign and, importantly, no transfer impact assessment for that route. But it only works for certified recipients. SCCs are more flexible — usable for any country and recipient — but carry the Schrems II assessment burden.
Many organisations use both: the DPF where a US vendor is certified, and SCCs everywhere else.
Is the DPF stable?
Given the fate of its predecessors, a fair question is whether the DPF will last. It faces potential legal challenge (a possible “Schrems III”), and the adequacy decision could in principle be suspended or struck down.
The prudent approach is to use the DPF where it applies but keep SCCs as a fallback, so a future invalidation would not leave your transfers suddenly unlawful.
Practical steps
To use the DPF well: inventory your US data transfers, check each recipient on the official DPF List for active, relevant certification, document your reliance, and keep SCCs ready as a backup. Re-check certifications periodically, since they can lapse.
Treat the DPF as one tool in your transfer toolkit, applied deliberately rather than assumed.
Common mistakes
Typical errors include assuming the DPF makes all US transfers fine, not checking whether a specific vendor is certified, overlooking the HR vs non-HR distinction, forgetting the separate UK Extension, and having no fallback if certification lapses or the framework is challenged.
Each is avoided by verifying certification per recipient and keeping SCCs in reserve.
How ISpectra helps
Navigating US transfers — DPF, SCCs and the fallback strategy — is a nuanced part of GDPR compliance. ISpectra Technologies helps organisations map their US data flows, verify DPF certifications, decide where to rely on the framework versus SCCs, and build a resilient approach that survives changes in the legal landscape.
If you send data to US providers, a transfer review will confirm you are relying on the right mechanism for each one.
In one paragraph
The EU–US Data Privacy Framework lets EU personal data flow to certified US organisations without extra safeguards, under a 2023 adequacy decision — the third attempt after Safe Harbor and Privacy Shield were struck down. US firms self-certify with the Department of Commerce, commit to GDPR-like principles, and appear on the official DPF List, with a strengthened redress mechanism for EU individuals. It only covers certified recipients (check each one, and the HR/non-HR scope and UK Extension), so non-certified US transfers still need SCCs. Given its predecessors’ fate, use the DPF where it applies but keep SCCs as a fallback.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
A worked example
Suppose a European company wants to use a popular US-based email marketing platform. The first question is whether EU personal data — subscriber names and addresses — will be stored or accessed in the US. It will, so this is a restricted transfer. Next, the company checks the official Data Privacy Framework List and finds the provider is actively certified for non-HR data under the EU framework. That means the transfer can rely on the DPF: no Standard Contractual Clauses and no transfer impact assessment are needed for that flow, and the company simply documents its reliance and the provider’s certification.
Now suppose the same company also uses a smaller US analytics tool that is not on the DPF List. For that vendor, the DPF offers nothing, so the company falls back to SCCs, completes the annexes, and runs a transfer impact assessment. The contrast captures the practical reality: the DPF is a welcome shortcut where a vendor is certified, but it never removes the need to check each recipient and to keep SCCs ready for everyone else. Building that simple per-vendor check into procurement is what keeps transatlantic transfers both convenient and lawful.