In the summer of 2023, the time had come: after years of legal and political disputes, the European Commission adopted the so-called adequacy decision on the EU-U.S. Data Privacy Framework (DPF), which provides the basis for the lawful transfer of personal data from the EU to the USA. A step that finally provided many companies in the EU with the clarity they had been longing for. However, many unanswered questions and political uncertainties lurk behind the seemingly simple solution. Will the new data protection agreement actually offer a sustainable solution or is it just the prelude to another legal battle?
In this article, we take a closer look at the EU-U.S. Data Privacy Framework, highlight the potential risks and uncertainties and show what companies in the EU should know now.
Why do we need the EU-U.S. Data Privacy Framework?
Before we look at the risks and unanswered questions, we should ask ourselves why this agreement was necessary in the first place. The answer lies in the legal framework governing data transfer between the EU and the USA.
The EU General Data Protection Regulation (GDPR) places strict requirements on the transfer of personal data to third countries - i.e. countries outside the EU. In principle, personal data may only be transferred to a third country if this country guarantees an "adequate" level of data protection. In order to guarantee this, the European Commission can issue a so-called adequacy decision, which confirms that the recipient country (in this case the USA) guarantees a level of protection comparable to that in the EU.
The adequacy decision on the EU-U.S. Data Privacy Framework was developed as a solution to end the decades-long dispute over the lawful transfer of data to the USA. The USA has concluded several data protection agreements with the EU in the past, including the "Safe Harbor" agreement (declared invalid by the European Court of Justice in 2015) and the "EU-U.S. Privacy Shield" (also overturned by the ECJ in 2020). Both agreements failed to meet the requirements of the European Court of Justice, in particular due to the far-reaching surveillance capabilities of the US intelligence services.
The new framework should eliminate these weaknesses and provide the EU and the US with a stable legal framework for data transfer. However, it is questionable whether this will succeed.
The EU-U.S. Data Privacy Framework: The new rules in detail
The new agreement follows a similar model to its predecessors, but with some significant changes that are primarily intended to address the ECJ's concerns about US surveillance practices. Companies wishing to transfer personal data from the EU to the US can now do so by contacting the U.S. Department of Commerce and obtaining a certification. This certification obliges US companies to comply with the data protection obligations set out in the agreement.
The most important new regulations include
Limiting access by US intelligence services: One of the biggest criticisms of the previous agreements was the extensive surveillance by US intelligence services. The new framework attempts to address these concerns by limiting the access of US intelligence services to EU data to what is "necessary" and "proportionate". This is intended to prevent personal data from being accessed on a massive scale without there being a specific need to do so.
The Data Protection Review Court (DPRC): In order to guarantee affected EU citizens an effective right to access and review their data, a new court is being introduced: the "Data Protection Review Court" (DPRC). EU citizens who believe that their data has been misused will be able to lodge a complaint here, which will then be examined by independent judges.
Binding rules for US companies: US companies that join the Data Privacy Framework undertake to comply with detailed data protection requirements, including, for example, the deletion of personal data once the purpose for which it was collected has been achieved or the protection of data that is passed on to third parties.
In theory, these changes should meet the requirements of the ECJ and create a solid legal basis for the transfer of data between the EU and the USA. In practice, however, things look different.
Political uncertainties: A new obstacle to data protection?
Although the EU-U.S. Data Privacy Framework brings many improvements on paper, it could once again be jeopardized by political instability in the USA. A development that became apparent in the first months of 2025, when members of the Privacy and Civil Liberties Oversight Board (PCLOB), a central supervisory body that monitors compliance with data protection standards under the framework, were forced to return.
One of the PCLOB's tasks is to review the surveillance practices of the US intelligence services and ensure that these are in line with the requirements of the agreement. Should this body be weakened or dissolved by political changes in the USA, confidence in the entire framework could be massively shaken. This could lead to considerable problems in the long term, particularly with regard to the far-reaching surveillance powers of the US intelligence services, which remain a central issue in international data protection law.
There is also the question of the independence of the Data Protection Review Court (DPRC). Should this court be subject to political influence, it would not be able to fulfill its task of guaranteeing EU citizens access to effective legal protection mechanisms. The question of how the US government implements the rights of EU citizens in practice also remains critical. Without functioning and independent oversight, the promised data protection guarantees could remain empty promises in reality.
What does this mean for companies in the EU?
For companies in the EU that wish to transfer personal data to the USA, the new agreement does bring a semblance of legal clarity. However, it remains to be seen how long this clarity will last. If the agreement is challenged again before the ECJ, companies that now rely on the framework could quickly end up in a legal gray area again.
Companies should therefore not only rely on the new agreement, but also keep an eye on alternatives. For example, standard contractual clauses (SCCs) can still be used as an additional security measure to legally secure data transfers even without the new framework. Companies should also regularly check whether the US companies they work with are actually certified and whether the agreed data protection measures are also being adhered to in practice.
Conclusion: A breakthrough or a farce?
At first glance, the EU-U.S. Data Privacy Framework offers a solution to the pressing problem of transatlantic data transfer. It provides companies in the EU with a legal basis for exchanging data with the USA without having to resort to additional data protection guarantees such as standard contractual clauses. However, the political uncertainty in the US, in particular the potential impact on the independence of supervisory bodies and courts, raises significant questions.
Companies should therefore take the new framework with a grain of salt and be aware that there are still political and legal uncertainties that could jeopardize the long-term success of the agreement. The experience of recent years shows how quickly data protection agreements can collapse - and that could be the case this time too.
Progress with a catch - Why the EU-U.S. Data Privacy Framework is not yet a permanent solution
The EU-U.S. Data Privacy Framework is a step in the right direction, but it remains a fragile construct. The political developments in the USA and the existing gap between European and American data protection concepts make the framework a temporary solution that could be put to the test again at any time. Companies should not feel too secure and should always consider alternative mechanisms such as SCC. After all, the political situation could change faster than you think and then the framework will be put to the test again.
