Personalized Video Content: Privacy & Consent Explained

March 25, 2026 Lucas Fernandez – World Editor World

EU-US Data Transfers Resume Under Fresh Framework

Data transfers between the European Union and the United States are once again permitted following the implementation of the EU-US Data Privacy Framework (DPF) on July 10, 2023, replacing the invalidated Privacy Shield agreement. The new framework aims to address concerns raised by the European Court of Justice (ECJ) regarding US surveillance practices and their impact on the privacy of EU citizens’ data.

The ECJ’s 2020 ruling in the Schrems II case deemed the Privacy Shield inadequate, citing insufficient protection against access to personal data by US intelligence agencies. The DPF seeks to remedy this by establishing a new set of principles and safeguards for transatlantic data flows. The framework certifies US companies that adhere to data protection standards substantially equivalent to those in the EU, allowing for the transfer of personal data from the EU to these certified organizations without requiring additional measures like Standard Contractual Clauses (SCCs).

According to the German Chamber of Industry and Commerce (IHK), companies utilizing the DPF must ensure that any sub-processors or subcontractors they employ in the US are likewise certified under the framework or provide equivalent guarantees for an adequate level of data protection, such as relying on SCCs. Existing SCCs remain valid, offering an alternative pathway for data transfers.

The DPF establishes a two-tiered redress system for individuals whose data may have been unlawfully processed. The first stage involves investigation by the Civil Liberties Protection Officer of the US intelligence community. A newly created Data Protection Review Court will then independently examine complaints regarding access to personal data by US national security authorities, with the power to issue binding remedies, including deletion orders.

Whereas the DPF provides a streamlined process for data transfers to certified US companies, the transfer of data to non-certified entities still requires adherence to existing GDPR requirements. The legal basis for data processing, such as consent or contractual necessity, must be established, and appropriate safeguards, like SCCs or Binding Corporate Rules, must be implemented.

The European Commission’s adequacy decision confirming the appropriate level of data protection in the US under the DPF applies specifically to companies that have self-certified to the framework. A list of certified companies is available for verification. The framework’s continued validity hinges on ongoing monitoring and compliance by the US government and participating organizations.

The distinction between “safe” and “unsafe” third countries, as defined by the General Data Protection Regulation (GDPR), is central to the legality of international data transfers. Countries with an adequacy decision from the European Commission, such as Canada, Japan, and the United Kingdom, are considered safe harbors for data transfers. For transfers to countries without such a decision, additional safeguards are required. The DPF now positions the US, for certified companies, within the category of safe countries.

The Wirtschaftskammer Österreich (WKO) highlights that the DPF guarantees rights comparable to those under the GDPR, including access, rectification, and erasure rights, as well as remedies for individuals whose data is processed unlawfully. The framework also aims to limit the access of US intelligence agencies to personal data to what is strictly necessary and proportionate for national security purposes.

, , ,