Growth Marketing Glossary

EU-US Data Privacy Framework

D·P·Fnoun (law)

The bridge that keeps EU data flowing west — adequacy for the certified, history's warning attached.

EUUSadequacy, July 2023after Privacy Shield fell (Schrems II)certified companies onlythe legal bridge for EU data crossing the Atlantic
Schematic — the transatlantic adequacy bridge
Term
EU-US Data Privacy Framework
Adequacy decision
July 10, 2023
Succeeds
Privacy Shield (struck down 2020, Schrems II)
Covers
Transfers to certified US companies

Forms & parts of speech

DPF · noun
The transfer bridge.
"The vendor audit's first question - is every US processor on the Data Privacy Framework list, or are we on SCCs alone?"

Definition in plain terms

The EU-US Data Privacy Framework (DPF) is the arrangement under which the European Commission recognizes data transfers to certified US companies as adequate — the legal bridge that lets EU personal data flow to American processors without case-by-case safeguards. The Commission's adequacy decision landed July 10, 2023, rebuilding what the Court of Justice demolished in Schrems II (July 2020), when Privacy Shield — itself Safe Harbor's successor — fell over US surveillance law. Every marketing stack with EU users and US vendors runs across this bridge.

The mechanics

The framework's shape: US companies self-certify to DPF principles (purpose limitation, data subject rights, onward-transfer accountability) with the certification list public; the US side's concessions — surveillance-proportionality commitments and a redress court for EU complaints — are what the adequacy decision rests on, and what its critics target. For marketers the practical surface is vendor plumbing: the ESPs, CDPs, analytics, and ad platforms processing EU data from US infrastructure either hold DPF certification (transfer solved), or transfers fall back to standard contractual clauses plus transfer impact assessments — the heavier paperwork the DPF exists to spare. The operating disciplines: the vendor inventory mapped to the certification list (and re-checked — certifications lapse), contracts naming the transfer mechanism explicitly, the DSAR-and-deletion machinery reaching the US processors (the framework's rights are only as real as the plumbing), and the fallback kept warm — because the history is the warning. Safe Harbor fell in 2015 (Schrems I), Privacy Shield in 2020 (Schrems II), and the DPF's challenge cycle is already running; stacks that survived the last invalidation had SCCs ready, and the prudent posture treats the bridge as load-bearing but not eternal.

When it matters

The DPF matters to any organization moving EU personal data to US systems — which is most marketing stacks — at vendor selection, contract renewal, and audit time. It matters most as contingency discipline: the framework's predecessors both fell in court, so the mature posture certifies where possible, papers SCCs beneath, and keeps the transfer map current enough to survive the next Schrems on paperwork rather than panic. (General information, not legal advice.)

Worked example. A European retailer's privacy audit maps its marketing stack's transatlantic plumbing for the first time: fourteen US vendors process EU customer data - ESP, CDP, analytics, support, three ad platforms - and the transfer basis is folklore ('I think they're certified?'). The remediation builds the register: each vendor checked against the DPF certification list (eleven hold it; two lapsed without telling anyone - re-certified after a pointed email; one runs SCCs by design), contracts updated to name the mechanism, and the DSAR pipeline tested end-to-end to confirm rights reach the US processors in practice. The contingency layer gets built the same quarter: SCCs pre-papered for the critical vendors, so the next courtroom surprise costs a filing, not a migration. When a colleague asks why the trouble for a bridge that's standing, the audit lead's answer is the framework's own history: this is the third bridge on this river.
Failure modes to watch. Transfer bases living as folklore instead of a register; certifications assumed current while they lapse silently; rights machinery that stops at the Atlantic; contracts naming no mechanism at all; and no SCC fallback papered - the posture that turned the last two invalidations into migrations instead of filings.

Synonyms & antonyms

Synonyms

EU-US Data Privacy FrameworkDPFPrivacy Shield successor

Antonyms

standard contractual clauses (fallback)Schrems litigation (the risk)

Origin & history

The DPF is the third transatlantic transfer bridge — Safe Harbor (2000-2015, felled by Schrems I) and Privacy Shield (2016-2020, felled by Schrems II over US surveillance law) preceded it — rebuilt on US surveillance-proportionality commitments and a redress court, with the Commission's adequacy decision of July 10, 2023, and the next challenge cycle already in motion.

Etymology: source.

Usage trends

Search interest for this term over the last five years:

View interest-over-time on Google Trends →

Common questions

What is the EU-US Data Privacy Framework?
The arrangement — adequacy decision July 10, 2023 — under which EU personal data may flow to US companies certified to the framework's principles, succeeding the Privacy Shield struck down in Schrems II (2020).
What does DPF certification mean for vendors?
Certified US processors can receive EU data without case-by-case safeguards; uncertified ones need standard contractual clauses plus transfer assessments — so the vendor inventory maps to the public certification list.
Why keep SCCs if the DPF stands?
History — Safe Harbor fell in 2015, Privacy Shield in 2020, and the DPF faces the same challenge cycle; pre-papered fallbacks turn the next invalidation into paperwork instead of panic.

Related tools & calculators

Resources & people to follow

Curated, non-competitor resources verified per term.

Related training

Disciplines

Areas of marketing where eu-us data privacy framework is a core concern:

Sources

  1. trendsGoogle Trends — "data privacy framework"