The Data Privacy Framework (DPF), adopted in July 2023 by the European Commission as an adequacy decision pursuant to Article 45 of the GDPR, is now facing heightened legal and political uncertainty. Following the successive invalidation of Safe Harbor in 2015 and Privacy Shield in 2020 by the Court of Justice of the European Union (CJEU) in the Schrems I and Schrems II rulings, the DPF could in turn be subject to annulment, whether through judicial review by the CJEU or due to shifting political dynamics in the United States.
Reminder: What does the GDPR say about international transfers?
According to Articles 44 et seq. of Regulation (EU) 2016/679 of April 27, 2016 (GDPR), transfers of personal data to countries outside the European Union are permitted only if these countries provide a level of protection deemed adequate, in the absence of a specific legal mechanism. If this level is not reached, the exporter must implement additional measures to compensate for the shortcomings of the local legal framework. Any transfer that fails to satisfy these conditions is deemed unlawful under the GDPR.
This level can be formally recognized by an adequacy decision adopted by the European Commission. Otherwise, any transfer—be it a direct sending, remote access, or any other form of availability—is deemed non-compliant with the GDPR.
Article 45.2 of the GDPR lists several criteria that the European Commission must consider when deciding whether a third country provides sufficient data protection. These criteria include:
The country's laws, particularly those regarding security, justice, or authorities' access to data, as well as the concrete rights of data subjects to challenge processing.
The existence of an independent data protection authority, responsible for enforcing rules and assisting citizens in asserting their rights.
The country’s international commitments, such as the signing of Convention 108 of the Council of Europe on data protection.
What about US transfers?
U.S. surveillance laws (such as FISA 702 (Foreign Intelligence Surveillance Act), Executive Order EO 12.333, or the Cloud Act) allow authorities to access data hosted by U.S. companies, including data concerning European citizens. This possibility directly conflicts with the principles of the GDPR and fuels criticism of the inadequacy of the level of protection provided by the DPF.
This is the main reason the Court of Justice of the European Union (CJEU) has twice invalidated previous transfer agreements, Safe Harbor in 2015 (by the Schrems I ruling) and Privacy Shield in 2020 (by the Schrems II ruling).
Despite this, the European Commission adopted on July 10, 2023, a third agreement, the Transatlantic Data Privacy Framework (DPF), asserting that U.S. legal reforms introduced through Executive Order 14086 — including new safeguards and redress mechanisms — were sufficient to re-establish adequacy.
Main arguments put forward by the European Commission:
U.S. legislative changes: The United States has enacted reforms, notably by presidential decree (“Enhancing Safeguards for United States Signals Intelligence Activities”, Executive Order 14086), which impose limitations on data surveillance to what is “necessary” and “proportional”.
Redress mechanism: Implementation of a two-tier process allowing European citizens to contest the use of their data.
- The complaint is first examined by the Civil Liberties and Privacy Office (CLPO)
- If contested, the case can be taken to the Data Protection Review Court (DPRC), a newly established appellate body.
- In addition, oversight is to be exercised by the Privacy and Civil Liberties Oversight Board (PCLOB), an independent body operating within the U.S. executive branch. Composed of five members, it is tasked with evaluating government strategies and their implementation regarding privacy and civil liberties protection.
Regular oversight: The European Commission plans to regularly review whether the protection level remains adequate.
The DPF in Practice: Legal Framework and Mechanisms
This decision thus allows the free transfer of personal data from the EU to certified U.S. organizations, without requiring additional guarantees such as standard contractual clauses, provided that:
The U.S. recipient self-certifies with the U.S. Department of Commerce and appears on the DPF List;
The organisation commits to the DPF Principles, including transparency, data minimisation, and access rights;
Certification is renewed annually, and made publicly accessible;
It is therefore essential for any data controller subject to the GDPR to verify before any transfer that the receiving entity is indeed on the official list of certified organizations, available on the U.S. Department of Commerce website (under Participant Search on dataprivacyframework.gov).
For all other non-certified recipients, it is imperative to implement appropriate safeguards, such as standard contractual clauses (SCCs), and ensure that data subjects have enforceable rights as well as effective remedy avenues.
Key legal challenges
Despite its formal adequacy, the DPF is criticised for several structural deficiencies:
Contested Element | Legal concern |
---|---|
Executive Order–based guarantees | Commitments are not enshrined in U.S. law and are therefore politically reversible. |
PCLOB as the sole guarantee | Members are appointed and revocable by the U.S. executive. The Trump administration recently removed 3 out of 5 members, raising quorum issues. |
Executive Order–based guarantees | The DPRC would not constitute an independent jurisdiction in the sense of Article 47 of the Charter of Fundamental Rights of the EU, for the following reasons:
|
Ongoing mass surveillance | Laws such as FISA 702 and the CLOUD Act remain in effect and incompatible with the GDPR, given that a different interpretation is applied locally to the principle of proportionality, thus infringing Article 52 of the Charter of Fundamental Rights of the European Union. |
The return of legal insecurity
The risk of legal invalidation of the Data Privacy Framework (DPF) remains significant. Should the safeguards currently underpinning the framework fail to function effectively in practice, the Court of Justice of the European Union (CJEU) could declare the adequacy decision invalid — as it previously did with Safe Harbor and Privacy Shield..
Such an outcome would plunge both EU-based data exporters — particularly those relying on U.S.-hosted cloud services — and U.S. service providers into a renewed state of legal insecurity. The consequences would be multifaceted.
Lack of strategic visibility: Not knowing whether the DPF will be maintained, adapted, or annulled, many companies may suspend their projects or resort to temporary solutions.
The risk of operational disruption and elevated compliance costs: urgent re-mapping of data flows, review of vendor contracts, and renegotiation of clauses, all within short compliance windows — especially in the context of international group structures or complex processing chains.
Complication of contractual relationships: To mitigate risk, data exporters would be required to multiply legal safeguards, such as detailed contractual clauses, Transfer Impact Assessments (TIAs), and audits. This would increase administrative burden, slow operational agility, and strain partnerships.
Increased risk of inadvertent non-compliance: exposing organisations to potential administrative fines, regulatory investigations, and reputational damage. This erosion of legal certainty may also undermine trust from data subjects, business partners, and supervisory authorities.
🔍 Based on precedent, the most plausible fallback scenario would mirror what occurred in 2020 following the annulment of Privacy Shield: a rapid migration to Standard Contractual Clauses (SCCs) as a transitional legal basis for EU–U.S. data transfers — rather than a complete suspension of such transfers.
The DPF under scrutiny
The European Commissioner for Democracy, Justice, Rule of Law and Consumer Protection, Michael McGrath, stated during a recent webinar organized by the Center for Strategic and International Studies that the Commission is "determined" to pursue the agreement.
However, this institutional support comes as several national data protection authorities — including those of Sweden, Norway, and Denmark — have begun to issue cautionary guidance, even in the context of a valid adequacy decision. These authorities encourage data controllers and processors to:
Critically assess the necessity of engaging U.S.-based service providers;
Prefer EU-based or sovereign alternatives when handling sensitive categories of personal data;
Reinforce internal governance over international transfers, ensuring proper documentation and traceability;
Verify the proportionality of transfers, taking into account both the nature of the data and the specific processing purposes.
In parallel, civil society and legal actors continue to challenge the DPF. The organisation NOYB (None of Your Business), founded by privacy advocate Max Schrems, has publicly denounced the DPF as offering no material improvement over the mechanisms previously invalidated by the CJEU.
Moreover, in September 2023, Philippe Latombe, a French Member of Parliament (MoDem) and digital affairs expert, lodged an action for annulment before the General Court of the European Union, seeking to overturn the Commission's adequacy decision on grounds of structural non-conformity with EU fundamental rights standards.
Assessing the legislation of the destination country, the paradox of the DPF
On paper, the Data Privacy Framework is compliant: it relies on a Commission decision of adequacy and formal commitments from U.S. authorities. This process quickly highlights the inherent contradiction within the Data Privacy Framework (DPF).
But as soon as one conducts a deeper evaluation, as required by European case law (notably after the Schrems rulings), the same structural weaknesses that justified the invalidation of previous agreements are found: mass surveillance, lack of binding law, limited remedies, reliance on revocable political commitments.
These concerns undermine the "essential equivalence" required by EU fundamental rights standards. If the DPF is invalidated, data controllers would fall back on Standard Contractual Clauses (SCCs):
But per the CJEU, SCCs alone are not sufficient where the legal system of the third country presents risks;
Controllers must conduct a Transfer Impact Assessment (TIA) and consider supplementary measures — often hard to implement when fundamental legal deficiencies exist.
Organisations face a vicious circle: comply with a contested mechanism or preemptively shift strategies — as seen post-Privacy Shield in 2020.
Despite the criticism: the DPF may yet survive
While subject to growing legal and political scrutiny, the Data Privacy Framework (DPF) remains, as of today, a valid legal mechanism for transferring personal data from the EU to the United States.
The DPF is still fully applicable:
It is based on a Commission adequacy decision under Article 45 GDPR;
It enables transfers without the need for supplementary safeguards, provided that the U.S. recipient is certified under the DPF scheme.
A possible path forward before the CJEU:
The Court may choose to preserve the DPF — at least temporarily — in light of the strategic importance of transatlantic data flows;
The upcoming first periodic review built into the Commission’s evaluation mechanism may serve as a test of the DPF’s practical effectiveness, before any invalidation is considered.
The commitments made by U.S. authorities have been acknowledged and endorsed by all EU Member States;
🔍 Final nuance: do not conflate data protection and digital sovereignty
The GDPR safeguards individual rights and legal compliance;
By contrast, digital sovereignty is a geopolitical objective, seeking to reduce structural dependency on non-EU technologies and infrastructure;
These are complementary but distinct debates, and the DPF primarily falls within the legal compliance framework.
The takeaway: while the DPF may not be flawless, it remains — for the time being — a legally available tool, and its short-term stability should not be ruled out. The real question is how to build long-term resilience in a shifting legal landscape.
What comes next?
For now, data transfers to the United States via the DPF remain legally valid. The adequacy decision adopted by the European Commission in July 2023 remains fully effective unless and until it is suspended or annulled by either the CJEU or the Commission itself.
However, if the core elements underpinning the decision (e.g. oversight by the PCLOB) cease to operate in practice, the CJEU may find that the level of protection is no longer "essentially equivalent" to that required under EU law. In such a case, the Court would be obliged to annul the DPF, following the precedents set in Schrems I and II.
The European Commission faces a dilemma: on one hand, it must ensure the stability of transatlantic data flows, vital to the digital economy; on the other, it must fulfil its duty as guardian of the Treaties, particularly the Charter of Fundamental Rights.
🧭 For companies, the warning is clear:
Prepare now for a possible challenge to the DPF’s legal validity;
This is especially urgent in light of the possibility that a new U.S. administration could roll back key commitments, destabilising the basis of the current adequacy decision.
In such a scenario, anticipating fallback mechanisms, becomes essential.
How to anticipate? Best practices to implement with Dastra
In short, while the DPF is compliant with the GDPR on paper today, its foundation rests on reversible U.S. political commitments rather than on a codified legal basis, raising legitimate doubts about its long-term solidity.
In this unclear context, companies must adopt a proactive approach and can anticipate by taking these concrete measures:
Map all transatlantic data flows (what processing, which actors, what data);
Assess critical transfers and identify European or sovereign alternatives;
Prepare a fallback plan towards Standard Contractual Clauses;
Evaluate the costs of a potential repatriation of data to European solutions;
Conduct a financial and contractual impact analysis;
Document all compliance mechanisms (legal basis, additional measures, updated records, etc.);
Closely monitor regulatory developments.
Dastra enables you to take action now!
Find out how Dastra can help you in just a few clicks.