EU–US Data Privacy Framework: Restoring Transatlantic Data Flows After Schrems II

The transatlantic transfer of personal data is critical for global business but fraught with legal challenges. The EU‑US Privacy Shield, which provided a legal basis for data transfers between the European Union and the United States, was invalidated by the Court of Justice of the European Union (CJEU) in 2020 in the Schrems II decision. The court held that the framework did not adequately protect EU citizens from U.S. surveillance laws and lacked effective judicial redress【470633389381954†screenshot】. This invalidation underscored the importance of robust cross‑border data protection and forced organisations to rely on other mechanisms【169253209769082†screenshot】.

What replaced the Privacy Shield

After the Privacy Shield’s demise, businesses turned to Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) and other derogations. The European Commission updated SCCs to better address General Data Protection Regulation (GDPR) requirements and the concerns about U.S. surveillance laws【496048657174177†screenshot】. Companies using SCCs must now perform transfer impact assessments and ensure that the recipient country’s legal system affords adequate protection. BCRs provide a company‑wide privacy policy approved by EU data protection authorities for intra‑group transfers, while codes of conduct and certification mechanisms offer alternative pathways for compliance. In limited cases, derogations and data localisation may be used【496048657174177†screenshot】.

The EU‑US Data Privacy Framework

To restore legal certainty, the European Commission and the U.S. government negotiated a new agreement—the EU‑US Data Privacy Framework (DPF). The DPF, adopted in 2023 following an adequacy decision, aims to protect personal data transferred from Europe to the United States and features enhanced safeguards that limit U.S. intelligence services’ access to data【235250757570206†screenshot】. It was informed by President Biden’s 2022 executive order on enhancing safeguards for U.S. signals intelligence activities, which addressed concerns raised in Schrems II. The framework establishes a Data Protection Review Court (DPRC) that provides EU individuals with a means of contesting U.S. government access to their data and can order deletion of data collected in violation of the safeguards【235250757570206†screenshot】.

U.S. companies can join the DPF by self‑certifying and committing to a detailed set of privacy obligations. These obligations include deleting personal data when it is no longer necessary and ensuring continuity of protection when personal data is shared with third parties【235250757570206†screenshot】. The DPF will be reviewed periodically by the European Commission, representatives of European data protection authorities and U.S. authorities to assess compliance and address emerging issues【505968586181803†screenshot】. The framework does not eliminate the need for supplementary measures—organisations must still assess whether U.S. law provides equivalent protection and implement additional safeguards where appropriate.

Implementation challenges and recommended actions

Despite the DPF’s adoption, transatlantic data transfers remain a moving target. Organisations should:

• Conduct transfer impact assessments: Evaluate legal risks associated with U.S. surveillance and document supplementary measures (encryption, split processing, pseudonymisation) used to protect data.
• Monitor regulatory developments: Track challenges to the DPF in EU courts and be prepared to revert to SCCs or other mechanisms if the adequacy decision is overturned.
• Maintain contractual protections: Use updated SCCs and robust data processing agreements to ensure continuity of protection, even when relying on DPF certification.
• Enhance accountability: Assign internal responsibility for cross‑border data transfer compliance, maintain records of processing activities and prepare for audits by EU or U.S. authorities.

Zeph Tech analysis

The EU‑US Data Privacy Framework represents a significant step toward restoring lawful transatlantic data flows, but its future is uncertain. Privacy advocates have already signalled intentions to challenge the adequacy decision, and organisations should treat DPF certification as one tool among many. Zeph Tech recommends adopting a defence‑in‑depth approach: combine DPF certification with updated SCCs, robust contractual clauses and technical safeguards; perform ongoing risk assessments; and engage with regulators to stay ahead of evolving requirements.

Implementation timeline

Organizations should establish clear milestones for addressing the requirements introduced by this development. Key phases typically include:

• Immediate (0-30 days): Conduct gap analysis comparing current capabilities against new requirements. Brief executive leadership and board members on obligations and potential compliance paths. Identify internal stakeholders who will own implementation workstreams.
• Near-term (1-3 months): Update policies, procedures, and technical controls to align with new standards. Designate accountable roles and begin staff training. Engage external advisors where specialized expertise is required.
• Medium-term (3-12 months): Complete implementation of required changes, conduct internal audits, and establish ongoing monitoring mechanisms. Document lessons learned and refine processes based on initial operational experience.
• Long-term (12+ months): Integrate requirements into regular compliance cycles, update vendor contracts, and participate in industry working groups to track evolving interpretations. Plan for periodic reassessments as regulatory guidance matures.

Organizations with mature governance programs may accelerate these timelines by leveraging existing control frameworks and cross-functional teams. Those building capabilities from scratch should budget additional time for foundational work and stakeholder alignment.

Compliance considerations

Legal and compliance teams should assess how this development interacts with other regulatory obligations. Key areas to evaluate include:

• Regulatory overlap: Identify where requirements overlap with existing frameworks (e.g., data protection laws, sector-specific regulations) and establish unified control implementations. Map common controls to reduce duplication and streamline audit evidence collection.
• Documentation requirements: Determine what evidence will satisfy auditors and regulators. Develop templates for required documentation and establish retention policies. Implement version control and change management procedures for compliance artifacts.
• Third-party assurance: Evaluate whether external certifications or attestations will strengthen compliance posture and facilitate customer trust. Consider industry-recognized frameworks that provide portable evidence across multiple regulatory contexts.
• Cross-border implications: For multinational organizations, assess how requirements apply across different jurisdictions and whether harmonized or jurisdiction-specific approaches are necessary. Monitor regulatory cooperation agreements that may affect enforcement coordination.

Regular consultation with external counsel may be warranted as enforcement practices and regulatory guidance evolve. Organizations should establish clear escalation paths for novel compliance questions that arise during implementation.

• Executive leadership: Board members and C-suite executives must understand strategic implications, resource requirements, and reputational considerations. They should ensure appropriate governance structures exist to oversee implementation and ongoing compliance. Executive sponsors should be designated to champion implementation efforts and resolve cross-functional conflicts.
• Legal and compliance teams: These functions bear primary responsibility for interpreting requirements, mapping them to existing obligations, and advising business units on permissible activities. They should coordinate closely with external counsel on novel questions. Compliance teams should establish monitoring programs to track adherence and identify emerging issues before they escalate.
• Technology teams: Engineering, architecture, and IT operations groups must assess technical feasibility, system changes, and integration requirements. They should plan for testing, deployment, and ongoing maintenance of compliance-related technical controls. Security teams should evaluate how changes affect the organization's security posture and threat landscape.
• Business operations: Product managers, customer-facing teams, and operational units need to understand how requirements affect day-to-day activities, customer interactions, and service delivery. Training and process documentation should address their specific workflows. Change management programs should support smooth transitions without disrupting business continuity.
• Third-party relationships: Procurement, vendor management, and partnership teams should evaluate how requirements flow down to suppliers, contractors, and business partners. Contract amendments and ongoing monitoring may be necessary. Due diligence processes should be enhanced to verify third-party compliance postures.

Effective implementation requires coordination across these stakeholder groups, with clear communication channels and escalation procedures for cross-functional issues. Regular status updates and governance checkpoints help maintain alignment and momentum throughout the implementation lifecycle.

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 40/100 · May 4, 2023

Policy Briefing — U.S. National Standards Strategy for Critical and Emerging Technology released

On 4 May 2023 the Department of Commerce published the refreshed U.S. National Standards Strategy for Critical and Emerging Technology, prioritizing leadership in AI, quantum, 5G/6G, and cybersecurity standards…

Policy · Credibility 40/100 · April 14, 2023

Policy Briefing — European Parliament adopts Data Act negotiating position

On 14 April 2023 the European Parliament agreed its negotiating position on the Data Act, backing stronger trade secret safeguards, clearer B2B data-sharing terms, and consumer protections before trilogue talks.

Policy · Credibility 91/100 · June 16, 2022

Policy Briefing — Canada Reintroduces Digital Charter Implementation Act

Canada’s Bill C-27 would replace PIPEDA with the Consumer Privacy Protection Act, create a new data protection tribunal, and introduce the Artificial Intelligence and Data Act, demanding enterprise privacy programs, data…

Policy · Credibility 90/100 · December 16, 2020

Policy Briefing — EU Cybersecurity Strategy for the Digital Decade

The European Commission’s December 2020 cybersecurity strategy pairs the NIS2 legislative recast, a proposed Joint Cyber Unit, and investment plans for cloud, 5G, and OT security, signalling stricter board…

Policy · Credibility 90/100 · December 1, 2020

Policy Briefing — New Zealand Privacy Act 2020 Commences

New Zealand brought the Privacy Act 2020 into force, replacing the 1993 framework with mandatory breach notification, stronger cross-border controls, and new compliance orders overseen by the Privacy Commissioner.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Semiconductor Industrial Strategy Policy Guide — Zeph Tech

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

• Export Controls and Sanctions Policy Guide — Zeph Tech

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…

• Digital Markets Compliance Guide — Zeph Tech

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…