---
title: EU-US Data Privacy Framework — RGM® Glossary
url: https://realgrowthmatters.com/glossary/eu-us-data-privacy-framework/
updated: 2026-06-10
source_html: https://realgrowthmatters.com/glossary/eu-us-data-privacy-framework/
---

# EU-US Data Privacy Framework

D·P·Fnoun (law)

The bridge that keeps EU data flowing west — adequacy for the certified, history's warning attached.

Term
:   EU-US Data Privacy Framework

Adequacy decision
:   July 10, 2023

Succeeds
:   Privacy Shield (struck down 2020, Schrems II)

Covers
:   Transfers to certified US companies

## Forms & parts of speech

DPF · noun

The transfer bridge.

"The vendor audit's first question - is every US processor on the **Data Privacy Framework** list, or are we on SCCs alone?"

## Definition in plain terms

The EU-US Data Privacy Framework (DPF) is the arrangement under which the European Commission recognizes data transfers to certified US companies as adequate — the legal bridge that lets EU personal data flow to American processors without case-by-case safeguards. The Commission's adequacy decision landed July 10, 2023, rebuilding what the Court of Justice demolished in Schrems II (July 2020), when Privacy Shield — itself Safe Harbor's successor — fell over US surveillance law. Every marketing stack with EU users and US vendors runs across this bridge.

## The mechanics

The framework's shape: US companies self-certify to DPF principles (purpose limitation, data subject rights, onward-transfer accountability) with the certification list public; the US side's concessions — surveillance-proportionality commitments and a redress court for EU complaints — are what the adequacy decision rests on, and what its critics target. For marketers the practical surface is vendor plumbing: the ESPs, CDPs, analytics, and ad platforms processing EU data from US infrastructure either hold DPF certification (transfer solved), or transfers fall back to standard contractual clauses plus transfer impact assessments — the heavier paperwork the DPF exists to spare. The operating disciplines: the vendor inventory mapped to the certification list (and re-checked — certifications lapse), contracts naming the transfer mechanism explicitly, the DSAR-and-deletion machinery reaching the US processors (the framework's rights are only as real as the plumbing), and the fallback kept warm — because the history is the warning. Safe Harbor fell in 2015 (Schrems I), Privacy Shield in 2020 (Schrems II), and the DPF's challenge cycle is already running; stacks that survived the last invalidation had SCCs ready, and the prudent posture treats the bridge as load-bearing but not eternal.

## When it matters

The DPF matters to any organization moving EU personal data to US systems — which is most marketing stacks — at vendor selection, contract renewal, and audit time. It matters most as contingency discipline: the framework's predecessors both fell in court, so the mature posture certifies where possible, papers SCCs beneath, and keeps the transfer map current enough to survive the next Schrems on paperwork rather than panic. (General information, not legal advice.)

**Worked example.** A European retailer's privacy audit maps its marketing stack's transatlantic plumbing for the first time: fourteen US vendors process EU customer data - ESP, CDP, analytics, support, three ad platforms - and the transfer basis is folklore ('I think they're certified?'). The remediation builds the register: each vendor checked against the DPF certification list (eleven hold it; two lapsed without telling anyone - re-certified after a pointed email; one runs SCCs by design), contracts updated to name the mechanism, and the DSAR pipeline tested end-to-end to confirm rights reach the US processors in practice. The contingency layer gets built the same quarter: SCCs pre-papered for the critical vendors, so the next courtroom surprise costs a filing, not a migration. When a colleague asks why the trouble for a bridge that's standing, the audit lead's answer is the framework's own history: this is the third bridge on this river.

**Failure modes to watch.** Transfer bases living as folklore instead of a register; certifications assumed current while they lapse silently; rights machinery that stops at the Atlantic; contracts naming no mechanism at all; and no SCC fallback papered - the posture that turned the last two invalidations into migrations instead of filings.

## Synonyms & antonyms

### Synonyms

EU-US Data Privacy FrameworkDPFPrivacy Shield successor

### Antonyms

standard contractual clauses (fallback)Schrems litigation (the risk)

## Origin & history

The DPF is the third transatlantic transfer bridge — Safe Harbor (2000-2015, felled by Schrems I) and Privacy Shield (2016-2020, felled by Schrems II over US surveillance law) preceded it — rebuilt on US surveillance-proportionality commitments and a redress court, with the Commission's adequacy decision of July 10, 2023, and the next challenge cycle already in motion.

Etymology: [source](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en).

## Usage trends

Search interest for this term over the last five years:

[View interest-over-time on Google Trends →](https://trends.google.com/trends/explore?q=data%20privacy%20framework&date=today%205-y)

## Common questions

What is the EU-US Data Privacy Framework?
:   The arrangement — adequacy decision July 10, 2023 — under which EU personal data may flow to US companies certified to the framework's principles, succeeding the Privacy Shield struck down in Schrems II (2020).

What does DPF certification mean for vendors?
:   Certified US processors can receive EU data without case-by-case safeguards; uncertified ones need standard contractual clauses plus transfer assessments — so the vendor inventory maps to the public certification list.

Why keep SCCs if the DPF stands?
:   History — Safe Harbor fell in 2015, Privacy Shield in 2020, and the DPF faces the same challenge cycle; pre-papered fallbacks turn the next invalidation into paperwork instead of panic.

## Related tools & calculators

- tool[CAC calculator](/tools/cac-calculator/)
- tool[LTV:CAC calculator](/tools/ltv-to-cac-ratio-calculator/)

## Resources & people to follow

- reference[European Commission — EU-US data transfers](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en)
- reference[Data Privacy Framework program](https://www.dataprivacyframework.gov/)
- referenceRGM analysis — this is the third bridge on this river; certify, paper the SCCs beneath, keep the map current

Curated, non-competitor resources verified per term.

## Related training

- module[Performance marketing](/training/performance-marketing-foundations/)

## Disciplines

Areas of marketing where eu-us data privacy framework is a core concern:

[Performance marketing](/training/performance-marketing-foundations/)[Growth strategy](/training/growth-marketing-foundations/)

## Read next

## Related terms

[GDPR](/glossary/gdpr/)[DSAR](/glossary/dsar-data-subject-access-request/)[CCPA](/glossary/ccpa/)[DPDPA](/glossary/dpdpa/)[Consent management platform](/glossary/consent-management-platform-cmp/)

## Sources

1. trends[Google Trends — "data privacy framework"](https://trends.google.com/trends/explore?q=data%20privacy%20framework&date=today%205-y)
