What is the DPF?
The EU-US Data Privacy Framework (DPF) is the European Commission’s July 2023 adequacy decision (and the parallel UK Extension and Swiss-US Framework) that permits transfers of personal data from the EU/EEA to certified US organisations without additional SCCs or TIAs for those specific transfers. The DPF replaces the invalidated Privacy Shield (Schrems II) and rests on US Executive Order 14086 (signals intelligence safeguards) plus the Data Protection Review Court (DPRC) remedy mechanism.
How DPF works
- US organisation self-certifies to the US Department of Commerce.
- Annual recertification required to maintain status.
- Public list: the DPF list (dataprivacyframework.gov) is searchable; transferring exporters check before relying on the adequacy basis.
- Principles compliance: notice, choice, accountability for onward transfer, security, data integrity, access, recourse-enforcement-liability.
Limitations
- DPF only covers certified US organisations — non-certified vendors still need SCCs + TIA.
- Schrems III risk: NOYB has signalled legal challenges. Exporters often maintain SCCs as “fallback” alongside DPF reliance.
- Sensitive data: additional choice/consent obligations apply to special-category data.
The EU-US transfer mechanism and its limits
The EU-US Data Privacy Framework (DPF) is the adequacy mechanism, adopted in 2023, that allows personal data to flow from the EU to US companies that self-certify to its principles — the successor to Safe Harbor and Privacy Shield, both of which European courts struck down. For a US business handling EU data, certification under the DPF is a practical route to lawful transfers; for an EU business, checking whether a US vendor is DPF-certified is part of vendor due diligence. Two cautions apply. First, the DPF rests on commitments that could again be challenged, so resilient programmes keep standard contractual clauses as a fallback. Second, it is an EU mechanism: it does not by itself satisfy Türkiye’s separate cross-border transfer rules, which must be assessed on their own terms.
Related terms
KVKK + GDPR Compliance Checklist
30-item dual-regime data-protection compliance checklist - scope, legal basis, transfer, operational compliance.
Open checklist →