EU-US Data Privacy Framework: A Complete Guide for Businesses

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), restoring a legal mechanism for transatlantic data transfers that had been absent since July 2020. In the three years between the Schrems II ruling and the new framework, thousands of organizations operated in legal uncertainty, relying on Standard Contractual Clauses under increasing regulatory pressure and inconsistent enforcement across EU member states.

The DPF is the third attempt to solve the same structural question: can US organizations receive EU personal data under conditions that meet the GDPR's "essentially equivalent" protection standard? Safe Harbor was invalidated. Privacy Shield was invalidated. The DPF exists under ongoing legal review, with proceedings already initiated before the Court of Justice of the European Union.

This guide covers what the framework requires, how certification works, where compliance for modern businesses breaks down operationally, and what it takes to build a program that holds up regardless of the framework's long-term fate.

What is the EU-US Data Privacy Framework?

The EU-US Data Privacy Framework is a legal mechanism, based on a European Commission adequacy decision under Article 45 of the General Data Protection Regulation (GDPR), that gives certified US organizations a valid transfer basis for receiving personal data from the EU, European Economic Area (EEA), and, through a separate extension, the United Kingdom.One critical distinction: the framework addresses one specific regulatory requirement, the legal basis for cross-border transfer. Every other obligation, from lawful processing to data subject rights to breach notification, remains independently enforceableSelf-certification is administered by the US Department of Commerce. Organizations commit to seven binding principles and are listed on a public registry at dataprivacyframework.gov. The Federal Trade Commission (FTC) enforces compliance under Section 5 of the Federal Trade Commission Act.

The Difference Between DPF and Privacy Shield

The difference between the DPF and its predecessor sits on the government access side, rather than the commercial obligations side.

Whether these changes satisfy the "essentially equivalent" standard is an important question in active legal proceedings. For organizations processing cross-border data at scale, the DPF provides a transfer mechanism, not a compliance program.

Ethyca processes 744M+ preferences annually across 200+ global brands, and the pattern is consistent: organizations that treat the transfer mechanism as the entirety of their compliance posture encounter exposure the moment it is tested.

A Brief History of the EU-US Data Privacy Framework

Each predecessor framework was struck down for the same reason: US law did not provide EU data subjects with essentially equivalent protections. That pattern matters for assessing the DPF's durability.

Safe Harbor (2000–2015)

Safe Harbor was the first self-certification mechanism for EU-US data transfers. At its peak, more than 4,400 organizations had been certified. Edward Snowden's 2013 disclosures revealed the scale of the NSA's PRISM program, which collected data directly from major US technology companies' servers. Max Schrems challenged Facebook's transfers to the US; Case C-362/14, decided October 6, 2015, invalidated Safe Harbor because US authorities could access transferred data without proportionality constraints, and EU data subjects had no effective judicial remedy.

Privacy Shield (2016–2020)

Privacy Shield added a Privacy Shield Ombudsperson within the US State Department and written representations from US intelligence agencies. Max Schrems filed a second challenge. Case C-311/18, decided July 16, 2020, found that FISA Section 702 permitted targeting of non-US persons without individualized judicial authorization, and that the Ombudsperson lacked independence from the executive branch. The ruling not only invalidated Privacy Shield but required case-by-case assessments of whether US law made any transfer mechanism adequate.

The road to the DPF (2020–2023)

The road to the DPF was defined by fragmented enforcement. The Austrian DPA, French CNIL, and Italian Garante each ruled that Standard Contractual Clauses, without sufficient technical supplementary measures, did not adequately cover US transfers. In March 2022, President Biden and European Commission President von der Leyen announced an agreement in principle. EO 14086 followed in October 2022. The Commission adopted its adequacy decision on July 10, 2023.

The DPRC's classified proceedings remain the most contested element. Complainants receive confirmation that a review occurred but not the substance of the decision. Whether this satisfies Article 47 of the EU Charter, guaranteeing an effective judicial remedy, is the question on which current legal proceedings will most likely turn.

Principles of the EU-US Data Privacy Framework

The DPF is built on seven binding principles, enforceable by the FTC. Violation of any constitutes a deceptive trade practice.

1. Notice (I): Inform individuals about data collection, processing purposes, and their rights
2. Choice (II): Provide opt-out mechanisms for secondary uses; require opt-in for sensitive data
3. Accountability for Onward Transfer (III): Ensure third-party recipients provide equivalent protections
4. Security (IV): Apply reasonable and proportionate technical and organizational safeguards
5. Data Integrity and Purpose Limitation (V): Limit data use to disclosed purposes; keep data accurate
6. Access (VI): Allow individuals to access, correct, and delete their personal data
7. Recourse, Enforcement and Liability (VII): Maintain effective complaint mechanisms with binding resolution.

Compliance with GDPR does not automatically satisfy these principles, and DPF certification does not satisfy GDPR obligations beyond the transfer basis.

Key Operational Requirements by Principle

Notice and Choice (I and II)

Principle I requires specific disclosures at the point of collection: data types, processing purposes, DPF commitment, access rights, available choices, recourse mechanism, jurisdiction, and onward transfer liability. A generic privacy policy does not satisfy this. Principle II requires that opt-outs for secondary uses and third-party disclosures propagate to every downstream system. An opt-out captured in a preference center that does not reach the CRM, analytics platform, and ad-tech stack is a Principle II violation. Ethyca's Janus enforces consent at the data layer, not just the front-end, ensuring preference changes propagate automatically across every connected system.

Accountability for Onward Transfer (III)

Transfers to third-party controllers require the recipient to participate in the DPF, be subject to an adequacy decision, or sign an agreement requiring equivalent protections. Transfers to agents (processors) require equivalent protections and leave the certified organization liable for violations unless it can prove it was not responsible. Every vendor contract involving EU personal data must contain enforceable DPF-equivalent clauses. The principle does not grandfather pre-DPF agreements.

Security (IV)

Controls must be proportionate to data sensitivity and demonstrable, not merely documented. Access controls must be tied to data classification, encryption applied based on sensitivity, and audit logs maintained. Ethyca's Helios provides continuous discovery and classification across all systems, so security controls stay scoped to personal data specifically.

Data Integrity and Purpose Limitation (V)

Using EU personal data for behavioral analytics, AI model training, or ad targeting without prior disclosure is a purpose limitation violation. AI systems consume data at machine speed; no manual review process can assess, at the moment of access, whether consent exists for a given use.

Ethyca's Astralis enforces AI policy at the point of data use, ensuring only purpose-cleared data enters AI pipelines and creating an auditable record of every data decision.

Fides, Ethyca's open-source governance taxonomy, codifies legal obligations into machine-readable policy that propagates consistently across all systems. As IAPP noted: "The possibilities afforded by Fides developer tools are astonishing."

Access, Recourse, and Enforcement (VI and VII)

Individuals have the right to access, correct, and delete their data. Certified organizations must provide four escalating recourse layers:

• Direct complaint response within 45 days
• Independent recourse mechanism (JAMS, AAA, or similar for commercial data; EU DPA panel for HR data)
• Binding arbitration before a DPF panel
• DPRC for complaints related to US government access

Ethyca's Lethe operationalizes rights fulfillment end-to-end, processing 4M+ access requests across the platform. That volume is only achievable because fulfillment is handled at the system level, generating audit-ready records automatically.

Does the Data Privacy Framework Apply to Your Organization?

The DPF is available only to US organizations under FTC or Department of Transportation jurisdiction. Excluded sectors include:

• Banks and financial institutions regulated by federal banking agencies
• Telecommunications carriers regulated by the FCC
• Insurance companies regulated at the state level
• Most non-profit organizations

Excluded organizations must use Standard Contractual Clauses, binding corporate rules, or Article 49 GDPR derogations.

Two Certification Tracks

• Commercial data track covers personal data from EU customers, users, and business contacts. A private-sector dispute resolution provider (JAMS, AAA) serves as the recourse mechanism.
• HR data track covers employee records transferred from EU subsidiaries or operations. This track requires committing to cooperate with the EU DPA panel. A private dispute resolution provider is not sufficient. Organizations that certify only under the commercial track have not established a valid transfer basis for HR data flows.
• Geographic scope is equally specific. The UK requires the separate UK Extension. Switzerland requires the Swiss-US Data Privacy Framework. Data from all other countries falls outside these frameworks entirely and requires its own transfer basis. Helios maintains a live data inventory that keeps this scope picture current as systems and vendor relationships evolve.

What it Takes to Become DPF Certified

Certification is a voluntary commitment with binding consequences, administered by the International Trade Administration within the US Department of Commerce.

Self-certification steps

1. Update the privacy policy to include all Principle I disclosures: DPF participation, data types, purposes, individual rights, recourse mechanism, and FTC jurisdiction.
2. Designate an independent recourse mechanism: a qualifying dispute resolution provider for commercial data, or the EU DPA panel for HR data.
3. Submit the self-certification at dataprivacyframework.gov, including the organization's legal entity, privacy policy URL, recourse mechanism, scope, and any UK or Swiss extensions.
4. Pay a tiered annual fee based on annual revenue.

For organizations with mature privacy programs, initial submission preparation can be completed within weeks. Department of Commerce review and recourse mechanism contracting extend the full timeline.

Ongoing obligations

Certification is the beginning of a program, not its conclusion. Four obligations run continuously:

1. Vendor contract management. New sub-processors handling EU personal data require DPF-equivalent contract clauses before transfers begin. Pre-DPF agreements are not grandfathered.
2. Rights fulfillment. Access, correction, and deletion requests must be addressed without unreasonable delay. Lethe automates DSR fulfillment end-to-end, eliminating backlogs that accumulate when the process is manual.
3. Privacy policy currency. Any change in data practices, processing purposes, or vendor relationships that affects required disclosures requires a policy update. A stale policy is a Principle I violation.
4. Annual recertification. Missed renewal means removal from the DPF List. Continuing to claim DPF status after removal is an FTC enforcement target.

As Parachute's Sr. Director of Product Management, Meg Marsh, put it: "Ethyca handles all of our data privacy needs related to CCPA and GDPR. This has taken a significant amount of stress and confusion off of our team."

The FTC enforces DPF violations as deceptive trade practices. Enforcement actions carry consent orders, civil penalties, and public disclosure. They are visible to every EU business partner and DPA that checks the registry.

Top Compliance Breakdowns

Certification confirms documentation was submitted. It does not confirm that systems, processes, and vendor relationships actually comply. Three gaps consistently produce real-world exposure:

• Data mapping. Without a current map of every system receiving EU personal data, the DPF principles cannot be enforced across the full data estate. New SaaS tools, acquisitions, and migrations change the map continuously. Helios provides automated, always-current data discovery so the inventory reflects reality at any given point, not the state of last year's audit.
• Legacy vendor contracts. Contracts executed before the DPF often lack the protection clauses Principle III requires. Remediating at scale takes quarters, and every transfer to a non-compliant vendor during that period is a live exposure. As Jason Ordway, former CTO of Slice, noted: "Ethyca's platform simplified everything by removing all the manual effort common to other data privacy approaches."
• Consent propagation. Consent collected at one touchpoint must reach every downstream system. If it does not, the organization is processing data contrary to the individual's expressed preference, which is a Principle II violation regardless of what the consent platform says. Janus sits between consent collection and every downstream system, propagating preference changes automatically and confirming enforcement. Across Ethyca's platform, this infrastructure handles 744M+ preferences annually.
• Building in continuity. The most resilient approach is treating the DPF as one layer in a broader transfer strategy. Organizations that maintain Standard Contractual Clauses alongside DPF certification can continue transfers under the SCC basis if the DPF is invalidated, as Privacy Shield-only organizations could not in July 2020. The DPF principles map closely to GDPR requirements. Infrastructure built to enforce purpose limitation, propagate consent, fulfill rights requests, and maintain current data maps will serve whatever framework comes next.

The Future of the EU-US Data Privacy Framework

The DPF includes a built-in review mechanism. The first joint review between the European Commission and Department of Commerce was completed in 2024. Several factors will shape what comes next:

• Active CJEU proceedings. La Quadrature du Net filed a direct annulment action (Case T-553/23). The arguments track Schrems I and Schrems II precisely.
• FISA Section 702 was reauthorized in April 2024 without incorporating EO 14086's proportionality language into statute. EO 14086 can be modified or revoked by any future president without congressional action.
• US federal privacy legislation could strengthen the DPF's foundation by codifying surveillance limits in statute. Its absence is the framework's most durable vulnerability.
• Commission revocation authority exists and has precedent. If the level of protection materially diminishes, the adequacy decision can be suspended or revoked.

What remains constant is the operational requirement. Organizations built on infrastructure that enforces purpose limitation at runtime, propagates consent across systems, automates rights fulfillment, and keeps data maps current are positioned to adapt to whatever comes next. The framework may change. The underlying requirements will not.

DPF Compliance is an Infrastructure Problem. Build it That Way.

The Data Privacy Framework provides a legal transfer basis. What it cannot provide is the operational program that makes that basis hold up: current data maps, enforced consent signals, vendor contracts that reflect today's processing relationships, and audit records generated continuously rather than assembled under pressure.These are not policy gaps. They are infrastructure gaps. And the organizations closing them are discovering something the documentation-only approach never delivers: when governance is embedded into data systems from the start, compliance stops being a bottleneck and starts being a competitive advantage. When data carries its context, speed and safety stop being tradeoffs.Ethyca is trusted by 200+ global brands, including The New York Times, Ramp, and SurveyMonkey, to run exactly this kind of program. The platform processes 744M+ preferences annually, has handled 4M+ access requests, and has saved customers $74M+ through automation. Helios keeps data inventories current. Janus propagates consent across every system. Lethe fulfills rights requests end-to-end. Astralis governs AI data use at the point of access. Fides, the world's most-used open-source privacy engineering platform, ties it together as a machine-readable policy that enforces itself.

The framework may change. The infrastructure you build around it does not have to.

Ethyca's platform keeps 200+ global brands audit-ready, always. See how it works

Frequently asked questions

1.What is the EU-US Data Privacy Framework?

The EU-US Data Privacy Framework is a legal mechanism that allows certified US organizations to receive personal data from the EU in line with GDPR transfer requirements. It is based on an adequacy decision adopted by the European Commission on July 10, 2023, and uses a self-certification model administered by the US Department of Commerce. Certification binds organizations to seven enforceable privacy principles.

2.What are the principles of the Data Privacy Framework?

The DPF is built on seven principles: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. These principles are published at dataprivacyframework.gov and enforced by the FTC. Violations may be treated as deceptive trade practices under Section 5 of the FTC Act.

3.How does an organization get DPF certified?

Organizations must commit to the seven principles, update their privacy policy with required disclosures, appoint an independent recourse mechanism, register through the dataprivacyframework.gov portal, and pay an annual fee. Organizations certifying for HR data must use the EU DPA panel as their recourse body.

4.What happens if the EU-US Data Privacy Framework is invalidated?

If the Court of Justice of the European Union invalidates the DPF adequacy decision, certified organizations lose their DPF transfer basis immediately. Organizations that also maintain Standard Contractual Clauses can continue transfers under the SCC mechanism while a replacement framework is negotiated.

5.Which organizations cannot certify under the DPF?

The DPF is available only to US organizations subject to FTC or Department of Transportation jurisdiction. Banks, many financial institutions, telecommunications carriers, insurance companies, and most non-profits are excluded. These organizations must use alternatives such as Standard Contractual Clauses or binding corporate rules.

Sources Appendix

https://congress.gov/bill/118/hr/7888https://www.edpb.europa.eu/system/files/2026-01/edpb_dpf_faq-for-businesses_v2_en.pdf