EU-US Data Privacy Framework: Transatlantic Data Flows Status Update

The transatlantic transfer of personal data remains critical for global business operations but continues facing legal uncertainty. The EU-US Data Privacy Framework (DPF), which replaced the invalidated Privacy Shield, received validation from the EU General Court in September 2025 when the court upheld the European Commission's adequacy decision. However, ongoing legal challenges, political instability, and structural concerns mean organizations must maintain vigilance and prepare contingency plans for potential framework disruption.

EU General Court ruling upholds Data Privacy Framework

On September 3, 2025, the EU General Court dismissed a challenge to the Data Privacy Framework from French Member of Parliament Philippe Latombe. The court determined that improvements in US regulatory structure, especially the Data Protection Review Court and limits on bulk surveillance, justified the European Commission's adequacy decision. This ruling provides short-term legal certainty for organizations relying on DPF certification for transatlantic data transfers.

The court evaluated whether US surveillance practices adequately protect EU citizens' fundamental rights. Key factors in the court's favorable determination included the establishment of the Data Protection Review Court with authority to order deletion of improperly collected data, limitations on bulk data collection by US intelligence agencies, and binding commitments under Executive Order 14086. These structural changes addressed concerns raised in the Schrems II decision that invalidated the Privacy Shield.

However, the ruling is subject to appeal to the Court of Justice of the European Union (CJEU). Privacy advocates including Max Schrems and the NGO NOYB have showed intentions to continue challenging the framework. If you are affected, not interpret the General Court ruling as permanent resolution of transatlantic data transfer legal risks.

Eroding support and political instability

Despite the favorable court ruling, support for the Data Privacy Framework has eroded significantly throughout 2025. European privacy regulators in Norway, Denmark, and Germany have encouraged businesses to prepare alternative data transfer mechanisms in anticipation of potential framework disruption. This guidance reflects ongoing skepticism about the durability of US commitments underlying the adequacy decision.

Political developments in the United States have intensified concerns about framework sustainability. Changes to the US Privacy and Civil Liberties Oversight Board, including dismissal of key members, have weakened oversight mechanisms that supported the adequacy finding. These structural changes may provide grounds for future legal challenges arguing that the framework no longer provides adequate protection.

The incoming US administration's policy priorities may affect DPF sustainability. Executive Order 14086, which provides the legal foundation for US commitments under the DPF, could be modified or rescinded through subsequent executive action. If you are affected, monitor US policy developments for signals that might affect framework continuity.

Privacy advocacy organizations continue gathering evidence of surveillance practices they argue violate DPF commitments. Additional evidence of non-compliance could support future legal challenges even if current challenges fail. The framework faces persistent scrutiny that creates ongoing uncertainty for reliant organizations.

Current compliance requirements and certification

Organizations transferring personal data from the EU to the United States under the DPF must maintain appropriate certification and compliance practices. Self-certification requires companies to commit to detailed privacy obligations including purpose limitation, data minimization, and accountability. Certified organizations must delete personal data when no longer necessary and ensure continuity of protection when sharing data with third parties.

The Department of Commerce administers DPF certification and maintains the public list of participating organizations. Companies must annually recertify their participation and respond to complaints through designated dispute resolution mechanisms. The Federal Trade Commission enforces DPF commitments and can take action against organizations that fail to honor their obligations.

DPF certification does not eliminate the need for supplementary measures in some circumstances. Organizations must still assess whether US law provides equivalent protection for their specific data processing activities and implement additional safeguards where appropriate. Standard Contractual Clauses (SCCs) may provide supplementary protection alongside DPF certification.

Documentation requirements include maintaining records demonstrating DPF compliance, responding to data subject access requests, and cooperating with regulatory inquiries. If you are affected, stay compliant programs can evidence DPF adherence during audits or investigations.

Alternative transfer mechanisms and contingency planning

Prudent organizations maintain alternative data transfer mechanisms that can be activated if the DPF is invalidated or otherwise disrupted. Standard Contractual Clauses approved by the European Commission provide an alternative legal basis for transatlantic transfers. The updated SCCs address GDPR requirements and Schrems II concerns but require transfer impact assessments documenting supplementary measures.

Binding Corporate Rules (BCRs) provide an alternative for intra-group transfers within multinational organizations. BCRs require approval from EU data protection authorities and establish company-wide privacy policies that govern international data processing. The approval process is resource-intensive but provides strong protection against regulatory changes.

Data localization strategies may be appropriate for some organizations, particularly those processing sensitive data categories or operating in heavily regulated industries. Establishing EU-based processing capabilities eliminates dependence on cross-border transfer mechanisms but requires significant infrastructure investment and may affect operational efficiency.

Hybrid approaches combining multiple transfer mechanisms provide resilience against framework disruption. Organizations might maintain DPF certification while also executing SCCs with key partners and developing BCRs for intra-group transfers. Layered protection reduces single-point-of-failure risks.

Transfer impact assessments

Transfer impact assessments evaluate whether destination country law provides protection essentially equivalent to EU standards. For US transfers, assessments must consider surveillance legislation, government access to data, and available remedies for affected individuals. The DPF adequacy decision simplifies this analysis but does not eliminate assessment requirements for supplementary measure determinations.

Assessment methodology should document data categories transferred, processing purposes, technical and organizational security measures, and relevant destination country legal provisions. If you are affected, maintain current assessments reflecting evolving legal and political developments that might affect adequacy conclusions.

Third-party transfers require particular attention. When data is shared with sub-processors or partners, organizations must ensure appropriate transfer mechanisms extend to downstream recipients. Contract clauses should require onward transfer protections and audit rights to verify compliance.

Regular reassessment ensures transfer impact analyzes remain current. Significant legal developments, new surveillance revelations, or changes to organizational data processing activities may warrant reassessment even between scheduled review cycles.

Regulatory enforcement and dispute resolution

EU data protection authorities have enforcement authority over organizations transferring data to the US under any transfer mechanism. National supervisory authorities can investigate complaints, conduct audits, and impose administrative fines for GDPR violations including inadequate transfer protections. The Irish Data Protection Commission serves as lead supervisory authority for many US technology companies with European headquarters in Ireland.

The DPF includes dispute resolution mechanisms for EU individuals to raise concerns about US government access to their data. The Data Protection Review Court can review complaints and order remedial action including data deletion. These mechanisms address Schrems II concerns about effective remedy availability but remain untested at scale.

If you are affected, maintain incident response capabilities for transfer-related regulatory inquiries. Rapid response to supervisory authority requests, documentation of transfer mechanisms and assessments, and legal counsel engagement support effective regulatory interaction.

Recommended actions for the next 90 days

• Review current DPF certification status and ensure annual recertification requirements are met.
• Assess alternative transfer mechanisms including SCCs and BCRs for contingency planning purposes.
• Update transfer impact assessments reflecting September 2025 General Court ruling and subsequent developments.
• Evaluate data localization options for sensitive processing activities that may not tolerate transfer mechanism uncertainty.
• Monitor legal challenges and policy developments that may affect DPF sustainability.
• Brief executive leadership and boards on transatlantic data transfer risks and contingency measures.
• Engage legal counsel to evaluate organization-specific transfer risks and mitigation strategies.
• Establish monitoring processes for regulatory guidance and enforcement developments affecting international data transfers.

Assessment

The September 2025 General Court ruling provides welcome short-term stability for organizations relying on the Data Privacy Framework, but prudent risk management requires preparation for potential framework disruption. The pattern of transatlantic data transfer agreements being invalidated by European courts suggests the DPF may face similar fate despite current legal validation.

If you are affected, treat DPF certification as one tool among several rather than sole reliance for transatlantic transfers. Maintaining SCCs alongside DPF certification, developing BCR capabilities where appropriate, and evaluating data localization options provide resilience against regulatory uncertainty. The investment in redundant transfer mechanisms is justified by the significant business disruption potential framework invalidation would cause.

The eroding support from European privacy regulators signals that even absent court invalidation, improved scrutiny of DPF reliance is likely. Organizations that can show defense-in-depth approaches to transfer protection will be better positioned during regulatory examinations than those relying solely on DPF certification.

Recommended: organizations actively monitor developments affecting DPF sustainability while implementing layered transfer protection strategies. The transatlantic data transfer environment remains volatile, and adaptable compliance programs that can respond to changing requirements provide the best positioning for managing ongoing uncertainty.