EU-US Data Privacy Framework
The bridge that keeps EU data flowing west — adequacy for the certified, history's warning attached.
- Term
- EU-US Data Privacy Framework
- Adequacy decision
- July 10, 2023
- Succeeds
- Privacy Shield (struck down 2020, Schrems II)
- Covers
- Transfers to certified US companies
Forms & parts of speech
Definition in plain terms
The EU-US Data Privacy Framework (DPF) is the arrangement under which the European Commission recognizes data transfers to certified US companies as adequate — the legal bridge that lets EU personal data flow to American processors without case-by-case safeguards. The Commission's adequacy decision landed July 10, 2023, rebuilding what the Court of Justice demolished in Schrems II (July 2020), when Privacy Shield — itself Safe Harbor's successor — fell over US surveillance law. Every marketing stack with EU users and US vendors runs across this bridge.
The mechanics
The framework's shape: US companies self-certify to DPF principles (purpose limitation, data subject rights, onward-transfer accountability) with the certification list public; the US side's concessions — surveillance-proportionality commitments and a redress court for EU complaints — are what the adequacy decision rests on, and what its critics target. For marketers the practical surface is vendor plumbing: the ESPs, CDPs, analytics, and ad platforms processing EU data from US infrastructure either hold DPF certification (transfer solved), or transfers fall back to standard contractual clauses plus transfer impact assessments — the heavier paperwork the DPF exists to spare. The operating disciplines: the vendor inventory mapped to the certification list (and re-checked — certifications lapse), contracts naming the transfer mechanism explicitly, the DSAR-and-deletion machinery reaching the US processors (the framework's rights are only as real as the plumbing), and the fallback kept warm — because the history is the warning. Safe Harbor fell in 2015 (Schrems I), Privacy Shield in 2020 (Schrems II), and the DPF's challenge cycle is already running; stacks that survived the last invalidation had SCCs ready, and the prudent posture treats the bridge as load-bearing but not eternal.
When it matters
The DPF matters to any organization moving EU personal data to US systems — which is most marketing stacks — at vendor selection, contract renewal, and audit time. It matters most as contingency discipline: the framework's predecessors both fell in court, so the mature posture certifies where possible, papers SCCs beneath, and keeps the transfer map current enough to survive the next Schrems on paperwork rather than panic. (General information, not legal advice.)
Synonyms & antonyms
Synonyms
Antonyms
Origin & history
The DPF is the third transatlantic transfer bridge — Safe Harbor (2000-2015, felled by Schrems I) and Privacy Shield (2016-2020, felled by Schrems II over US surveillance law) preceded it — rebuilt on US surveillance-proportionality commitments and a redress court, with the Commission's adequacy decision of July 10, 2023, and the next challenge cycle already in motion.
Etymology: source.
Usage trends
Search interest for this term over the last five years:
Common questions
- What is the EU-US Data Privacy Framework?
- The arrangement — adequacy decision July 10, 2023 — under which EU personal data may flow to US companies certified to the framework's principles, succeeding the Privacy Shield struck down in Schrems II (2020).
- What does DPF certification mean for vendors?
- Certified US processors can receive EU data without case-by-case safeguards; uncertified ones need standard contractual clauses plus transfer assessments — so the vendor inventory maps to the public certification list.
- Why keep SCCs if the DPF stands?
- History — Safe Harbor fell in 2015, Privacy Shield in 2020, and the DPF faces the same challenge cycle; pre-papered fallbacks turn the next invalidation into paperwork instead of panic.
Related tools & calculators
- toolCAC calculator
- toolLTV:CAC calculator
Resources & people to follow
- referenceEuropean Commission — EU-US data transfers
- referenceData Privacy Framework program
- referenceRGM analysis — this is the third bridge on this river; certify, paper the SCCs beneath, keep the map current
Curated, non-competitor resources verified per term.
Related training
- modulePerformance marketing
Disciplines
Areas of marketing where eu-us data privacy framework is a core concern: