EU-U.S. Data Privacy Framework

European Union / United States

2023

Privacy

Overview

The EU-U.S. Data Privacy Framework (DPF) was adopted in 2023 to facilitate transatlantic data transfers while ensuring a level of protection for personal data that aligns with EU General Data Protection Regulation (GDPR) standards. It replaces the invalidated Privacy Shield and is designed to address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II decision.

The DPF allows EU businesses to transfer personal data to certified U.S. organizations that commit to a set of privacy principles enforced by the U.S. Department of Commerce and monitored by the Federal Trade Commission (FTC). It includes stronger safeguards on U.S. government surveillance, limits on data access, and a new Data Protection Review Court (DPRC) to handle EU citizen complaints. The framework applies to tech companies, cloud service providers, financial institutions, e-commerce platforms, and any U.S.-based organization handling EU personal data.

Key Obligations

U.S. companies must self-certify and commit to DPF privacy principles (notice, choice, access, security, etc.)
Provide EU individuals with rights to access, correct, and delete their data
Offer independent dispute resolution and respond to complaints within 45 days

Cooperate with EU data protection authorities on unresolved complaints
Adhere to limitations on data collection and ensure accountability for onward transfers

FAQ

Related Regulations