Privacy Shield Replacement
The EU-US Data Privacy Framework replacing the invalidated Privacy Shield, providing legal basis for transatlantic data transfers with new intelligence oversight safeguards.
The EU-US Data Privacy Framework replacing the invalidated Privacy Shield, providing legal basis for transatlantic data transfers with new intelligence oversight safeguards.
Continue your mission
The EU-US Data Privacy Framework (DPF) is the successor to the invalidated EU-US Privacy Shield, established through an EU adequacy decision adopted in July 2023. The DPF provides a legal mechanism for transferring personal data from the EU to certified US organizations, built on Executive Order 14086 which introduced new safeguards limiting US intelligence agencies' access to EU personal data.
US organizations self-certify to the DPF through the Department of Commerce, committing to a set of privacy principles including notice, choice, accountability for onward transfers, security, data integrity, access, and recourse. The framework introduces a two-tier redress mechanism for EU individuals: first through a Civil Liberties Protection Officer within the US intelligence community, then through a Data Protection Review Court (DPRC) with binding authority to order data deletion. Executive Order 14086 limits signals intelligence collection to what is necessary and proportionate for defined national security objectives. The European Commission evaluated these safeguards as providing adequate protection, enabling transfers to DPF-certified organizations without additional mechanisms like SCCs.
The Schrems II invalidation of Privacy Shield created massive compliance uncertainty for thousands of organizations relying on transatlantic data flows. The DPF restores a streamlined transfer mechanism, but faces legal challenges from privacy advocates who argue the new safeguards are insufficient. Max Schrems and NOYB have signaled potential litigation (Schrems III). Organizations must prepare for potential invalidation by maintaining fallback mechanisms. The DPF adequacy decision is subject to periodic review, with the first review completed in 2024 confirming continued adequacy.
CDA monitors the DPF within the Data Protection and Sovereignty domain and advises organizations on resilient transfer architectures. Our missions help organizations certify under the DPF while maintaining parallel SCC arrangements and technical supplementary measures as contingency against potential future invalidation.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.