Understanding the EU-US Data Privacy Framework

Every time you use a US-based app, social media platform, or cloud service, your personal data may be transferred from Europe to the United States — or vice versa. The EU-US Data Privacy Framework (DPF), adopted in July 2023, is the legal mechanism that makes these transfers lawful. Whether you're an American who uses European services or a European whose data flows to US companies, this guide explains what the framework means for your privacy and what rights it gives you.

What Is the EU-US Data Privacy Framework?

The DPF is an agreement between the European Union and the United States that allows certified US companies to receive personal data from the EU (and the broader European Economic Area) in compliance with EU data protection law. The European Commission issued an adequacy decision on July 10, 2023, confirming that participating US companies provide a level of data protection "essentially equivalent" to what the GDPR requires.

In practical terms, the DPF replaces the Privacy Shield framework, which the EU Court of Justice struck down in 2020 over concerns about US government surveillance. The new framework attempts to address those concerns through executive orders that limit intelligence agency access to EU personal data and the creation of an independent redress mechanism.

A Brief History: Why This Is the Third Attempt

The DPF is actually the third attempt at a transatlantic data transfer agreement:

• Safe Harbor (2000–2015): The original framework, invalidated by the EU Court of Justice in the Schrems I ruling over US surveillance concerns.
• Privacy Shield (2016–2020): The replacement, also struck down in the Schrems II ruling for similar reasons — the court found that US surveillance laws didn't adequately protect EU citizens' data.
• Data Privacy Framework (2023–present): The current framework, built on Executive Order 14086, which imposes new limits on US intelligence activities and creates the Data Protection Review Court (DPRC) for EU individuals to challenge surveillance.

How Does It Work?

US companies voluntarily certify their compliance with the DPF through the Department of Commerce. As of 2026, more than 2,800 organizations hold active certifications. When a certified company receives personal data from the EU, it commits to:

• Purpose limitation: Using data only for the purposes stated at the time of collection
• Data minimization: Collecting only the data necessary for those purposes
• Security safeguards: Protecting data with reasonable security measures
• Onward transfer protections: Requiring any third parties who receive the data to provide equivalent protections
• Individual rights: Giving individuals access to their data and the ability to correct or delete it

What Rights Do You Have?

If You're in the EU

Under the DPF, European individuals have the right to:

• Access the personal data a certified US company holds about them
• Request correction of inaccurate data
• Request deletion of data that is no longer necessary
• Opt out of having their data used for direct marketing
• File complaints with their national data protection authority, the Department of Commerce, or an independent dispute resolution body
• Challenge potential US government surveillance of their data through the Data Protection Review Court

If You're in the US

The DPF doesn't directly grant new rights to US residents — it primarily governs data flowing from Europe to the US. However, it matters to you because:

• US companies must maintain higher privacy standards for all users when they're DPF-certified, which can indirectly benefit American customers.
• Your own state privacy laws (like the CCPA in California) give you similar rights for your domestic data.
• If you use European services, the DPF ensures your data can continue flowing smoothly between countries.

Is the Framework Secure?

The DPF has already survived its first legal challenge. French MEP Philippe Latombe challenged the adequacy decision in the EU General Court (Case T-553/23), arguing that US surveillance safeguards were still insufficient. The General Court dismissed the challenge in September 2025, finding that:

• The Data Protection Review Court is sufficiently independent and impartial
• US law adequately limits bulk data collection
• US protections for data security are substantially equivalent to EU law

However, an appeal is pending before the EU Court of Justice (Case C-703/25 P) as of 2026. Privacy advocates like Max Schrems, whose litigation invalidated the two previous frameworks, have expressed skepticism that the DPF will survive long-term scrutiny.

What This Means for Your Privacy

The DPF provides a legal framework, but your privacy ultimately depends on individual companies' practices. Some practical takeaways:

• Check certifications. Before sharing personal data with a US company, verify its DPF certification at dataprivacyframework.gov.
• Exercise your rights. If you're in the EU, you can request access to, correction of, or deletion of your data from any certified company.
• Read privacy policies. The DPF requires companies to publish clear privacy policies — use them to understand how your data is handled.
• Minimize your data footprint. Regardless of legal frameworks, the less personal data you share, the less there is to be transferred, sold, or breached. Consider using a data removal service to reduce your exposure across data brokers on both sides of the Atlantic.

Take Control of Your Data With PrivacyOn

Legal frameworks govern how companies should handle your data, but they can't prevent every breach or misuse. PrivacyOn takes a practical approach — removing your personal information from 100+ data brokers, monitoring the dark web for your compromised data, and providing 24/7 alerts when your information surfaces in new places. Whether your data is in the US, the EU, or bouncing between both, start by understanding your data rights and let PrivacyOn help enforce them.