# [Understanding the EU-U.S. Data Privacy Framework: What it means for your data?](https://usercentrics.com/knowledge-hub/eu-us-data-privacy-framework/) By [Celestine Bahr](https://usercentrics.com/person/celestine-bahr/) · Aug 17, 2023 · 6 min read [Contact sales](https://usercentrics.com/book-a-consultation/) --- **The European Union and United States again have an adequacy agreement governing privacy and security for international data transfers. The Data Privacy Framework went into effect July 10th, providing new safeguards for EU residents and enabling US companies to self-certify.** --- ## What is the EU-U.S. Data Privacy Framework? The EU-U.S. Data Privacy Framework (DPF) is a legal agreement about managing the privacy of individuals' personal data if it is transferred across the international borders of participating countries. It reflects an adequacy decision between the European Union (EU), European Economic Area (EEA) and the United States. This means that the [European Commission](https://commission.europa.eu/index_en) and the US government have both agreed that the other takes adequate measures to limit and protect residents' personal data that is transferred internationally, if participating US companies are certified under the DPF. The DPF also outlines data subjects' rights, responsibilities and requirements for certified companies, redress mechanisms for complaints, and requirements and restrictions on US intelligence services. [Adequacy decision from the European Commission](https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en) (EN PDF, 2.75MB) [US Data Privacy Framework website](https://www.dataprivacyframework.gov/s/) #### What is an adequacy decision? Adequacy decisions are outlined and in some cases required by the [General Data Protection Regulation (GDPR)](https://usercentrics.com/gdpr/) and other laws. Necessary data protection measures for the countries involved are written out and data transfer, surveillance, and protection operations of the participating countries are mutually investigated to ensure they meet data protection standards. This helps ensure and enable the transfer of data to "third countries" with reasonable guarantees of security and protection. The EU-U.S. Data Privacy Framework is the new and current adequacy agreement between the EU and US, which went into effect on July 10, 2023. A review of the agreement is scheduled for one year after going into effect, to verify that all required elements have been put in place and are effective in practice. Once the review has taken place, the [European Data Protection Board (EDPB)](https://edpb.europa.eu/edpb_en) and EU member states will determine the frequency of future reviews, though such reviews will have to take place at least every four years and the EDPB will be involved. #### What adequacy agreement existed before the EU-U.S. Data Privacy Framework? The previous adequacy agreement between the two regions was called the [Privacy Shield](https://www.privacyshield.gov/ps/eu-us-framework). It was in effect between July 2016 and July 2020. It was struck down by a court ruling by the [European Court of Justice](https://european-union.europa.eu/institutions-law-budget/institutions-and-bodies/search-all-eu-institutions-and-bodies/court-justice-european-union-cjeu_en) in a case known as [Schrems II](https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/) after Austrian lawyer and privacy activist Max Schrems who initiated the complaint. The grounds were that the Privacy Shield did not adequately protect EU citizens from government surveillance. --- ## What are the principles of the Data Privacy Framework? There are seven core principles to the DPF: **Notice**: To inform data subjects whose data is processed, notifications are required by most data privacy laws. Data subjects must be informed about what data is collected, transferred, or shared, and with which parties for what purposes. Information about their data privacy rights and exercising them are also usually required. This information is generally included in a company's privacy notice or on a privacy policy web page. **Choice**: Individuals whose data is affected by the DPF must be offered choices for processing of their data, including opting out of sharing with third parties, use of data for purposes not initially consented to, if the data is categorized as sensitive, etc. Prior consent requirements apply, as with the GDPR. **Accountability for onward transfers**: Participating organizations must comply with certain procedures and impose certain contractual terms if data is transferred to a third party. **Security**: "Reasonable and appropriate" measures must be taken to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. **Data integrity and purpose limitation**: Personal data may only be used and retained for the purpose(s) for which it was collected and for which the organization has data subjects' consent. Organizations must also take reasonable steps to ensure personal data it holds is kept updated and accurate. **Access**: Participating countries must allow data subjects to access their personal data and request correction or deletion of it (if inaccurate or processed in a way that violates the DPF), with some exceptions. **Recourse, enforcement and liability**: Participating companies must implement robust recourse mechanisms in cooperation with authorities to address complaints and claims under a two-tier system with the DPF. --- ## What rights do data subjects have under the EU-U.S. Data Privacy Framework? The DPF provides several new rights to residents of participating countries if their data is or would be transferred to a third country, typically by companies that collected the data. - Right to obtain access to their data - Right to have their data corrected - Right to have their data deleted (if it's incorrect or was unlawfully handled) - Right to redress if data is wrongly handled (including free dispute resolution and arbitration) Safeguards in place to protect the personal data of Europeans include: - Enhanced oversight of US intelligence services to ensure compliance with surveillance limitations - Access limitations to data by US intelligence authorities to be proportionate to protecting national security - Establishment of an independent redress mechanism, including a Data Protection Review Court, to investigate and resolve complaints by EU residents about data access by US national security authorities --- ## What are the benefits of the EU-U.S. Data Privacy Framework? - Secure flow of data among participating countries - Reliance on SCCs no longer required for data transfer - Streamlined legal processes for checking documentation, certifications, and required safeguards and security measures for working with US companies - Protection of Europeans' personal data transferred to the US, addressing European Court of Justice requirements - Limitations on surveillance by US national security authorities - Robust legal basis for data transfers - Economic benefits, as there is already €900 billion in annual cross-border commerce For European companies, international data transfers to US companies that are on the DPF list will be streamlined, as they have been certified and determined to have adequate data protection operations in place. The companies involved will not have to work through arrangements with SCCs and/or other mechanisms to ensure data privacy. European data subjects also have clearer and stronger options for complaints and getting them addressed if they suspect their data has been mishandled by a US company/companies. The redress mechanisms are available regardless of the manner of data transfer, if the US company involved is on the DPF list. --- ## What companies are eligible to participate in the DPF? Companies based in the EU, EEA, and US can participate, though DPF participation would only be relevant if they transfer personal data collected to the United States, or plan to do so. Transfers of data to other third countries would require separate adequacy agreements or comparable measures. Participation in the DPF requires companies to get certified by governing bodies. The process involves submission of self-certification, and participation is voluntary. US companies that do not want to self-certify can use other data transfer mechanisms, such as standard contractual clauses (SCC), with EU partners, to enable an international flow of data. American companies can certify their participation in the EU-U.S. Data Privacy Framework if they commit to compliance with the specified set of data privacy obligations. Common data privacy principles (included in the GDPR and other laws) involve: - purpose limitation - data minimization - data retention - data sharing with third parties - data security US companies were able to begin submitting initial self-certification submissions to the [Data Privacy Framework website](https://www.dataprivacyframework.gov/s/) as of July 17, 2023. #### Do companies that were certified under the Privacy Shield qualify for DPF certification? Companies that self-certified under the Privacy Shield do not need to re-certify under the DPF. Their participation will be automatic, but they must update their privacy policies accordingly and their certification will be reviewed annually. The European Data Protection Board (EDPB) will also be involved in reviews. If a US company self-certified under the Privacy Shield but does not want to participate in the Data Privacy Framework, they must formally withdraw per the International Trade Administration's withdrawal process. --- ## Who administers the Data Privacy Framework? In the United States the [International Trade Administration (ITA)](https://www.trade.gov/) within the [Department of Commerce (DOC)](https://www.commerce.gov/) will be the DPF's administrators. They will be responsible for processing certification applications and monitoring certified companies to determine if they continue to meet certification requirements. Compliance of US companies with the DPF will be enforced by the [Federal Trade Commission (FTC)](https://www.ftc.gov/). Companies are also subject to the [Department of Transportation's (DOT)](https://www.transportation.gov/) investigative and enforcement powers. --- ## Does the Data Privacy Framework affect the United Kingdom or Switzerland? #### United Kingdom and the DPF The government of the United Kingdom is working on its own separate agreement with the United States, which would be [an extension of the Data Privacy Framework](https://www.gov.uk/government/news/uk-and-us-reach-commitment-in-principle-over-data-bridge). The International Trade Association has stated that self-certified American companies may also self-certify compliance with the UK extension once in place and formally approved. #### Switzerland and the DPF The Swiss-U.S. Data Privacy Framework came into effect on July 17, 2023, and companies can begin the self-certification process as of that date. US companies that self-certify with that Framework must comply with the Swiss-US DPF, which includes a requirement to update privacy policies by October 17, 2023. --- ## What does the EU-U.S. Data Privacy Framework mean for the Usercentrics CMP and customers? There is no change needed at this time for Usercentrics and its customers with regards to the DPF. [Learn more about implementing transatlantic transfers from IAPP](https://iapp.org/media/pdf/resource_center/implementing_transatlantic_transfers.pdf) *Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.* --- **Celestine Bahr** Director Legal, Compliance & Data Privacy, Usercentrics GmbH --- ## Related articles **[Nebraska Data Privacy Act (NDPA): An Overview](https://usercentrics.com/knowledge-hub/nebraska-data-privacy-act-ndpa/)** · May 1, 2026 The Nebraska Data Privacy Act (NDPA) has been in effect since January 1, 2025, establishing data privacy rights for Nebraska residents and compliance obligations for businesses. Nebraska has since expanded its children's privacy framework through the Parental Rights in Social Media Act (LB 383) and amendments to its Age-Appropriate Design Code Act, both effective July 1, 2026. **[Guide to the EU AI Act](https://usercentrics.com/knowledge-hub/eu-ai-regulation-ai-act/)** · Apr 30, 2026 The EU AI Act was adopted in March 2024, making it the world's first comprehensive AI regulation. In March 2026, the European Parliament also approved the EU's signature of the Council of Europe's Framework Convention on Artificial Intelligence — the first legally binding international AI treaty. Usercentrics examines what these regulations include, who they affect, and what they mean for data privacy compliance. **[Children's Online Privacy Protection Act (COPPA): An Overview](https://usercentrics.com/knowledge-hub/childrens-online-privacy-protection-act-coppa/)** · Apr 29, 2026 The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law protecting the personal information of children under 13 online. This overview covers how COPPA defines personal information, who must comply, parental consent requirements, enforcement, and the FTC's 2025 Rule amendments, the first major update to COPPA's regulations in over a decade. --- ## Products - [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/) - [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/) - [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/) - [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/) - [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/) - [Preference Manager](https://usercentrics.com/preference-management/) - [Audience Unlocker](https://usercentrics.com/audience-unlocker/) - [Integrations](https://usercentrics.com/integrations/) - [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/) - [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/) - [ROAS Calculator](https://usercentrics.com/roas-calculator/) ## Solutions - [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/) - [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/) - [Migration](https://usercentrics.com/migration/) - [Media & Publishing](https://usercentrics.com/media-publishing/) - [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/) - [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/) - [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/) - [Gaming](https://usercentrics.com/gaming/) - [Education](https://usercentrics.com/education/) - [Automotive](https://usercentrics.com/automotive/) - [Travel & Hospitality](https://usercentrics.com/travel/) ## Regulations & Frameworks - [GDPR (EU)](https://usercentrics.com/gdpr/) - [GDPR (UK)](https://usercentrics.com/uk-gdpr/) - [CCPA (California)](https://usercentrics.com/ccpa/) - [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/) - [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/) - [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/) - [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/) - [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/) - [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/) - [View all regulations](https://usercentrics.com/regulations-and-frameworks/) ## Resources - [Blog](https://usercentrics.com/knowledge-hub/) - [Whitepapers](https://usercentrics.com/whitepapers/) - [Checklists](https://usercentrics.com/checklists/) - [Courses](https://courses.usercentrics.com/) - [Case Studies](https://usercentrics.com/case-studies/) - [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/) - [Events](https://usercentrics.com/webinar/) - [CONSENTED Podcast](https://usercentrics.com/consented/) - [Guides](https://usercentrics.com/guides/) - [Release Notes](https://releases.usercentrics.com/en) - [Developer Documentation](https://usercentrics.com/docs/) - [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/) - [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/) ## Company - [About Us](https://usercentrics.com/about-us/) - [Press](https://usercentrics.com/press/) - [Our Offices](https://usercentrics.com/contact/) - [Trust Center](https://trust.usercentrics.com/) - [Careers](https://usercentrics.com/career/) - [Open Positions](https://apply.workable.com/usercentrics/) - [Diversity & Inclusion](https://usercentrics.com/dei/) ## Support - [General Support](https://support.usercentrics.com/hc/en-us) - [Contact Sales](https://usercentrics.com/book-a-consultation/) - [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new) - [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing) - [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340) - [Partner Login](https://partnerportal.usercentrics.com/) - [Partner Program](https://usercentrics.com/partner-program-overview/) - [Affiliate Program](https://usercentrics.com/affiliates/) ## Legal - [Terms & Conditions](https://usercentrics.com/terms-and-conditions/) - [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/) - [Privacy Policy](https://usercentrics.com/privacy-policy/) - [Legal Notice](https://usercentrics.com/legal-notice/) - [Legal Documents](https://usercentrics.com/legal-documents/) - [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/) © 2026 Usercentrics GmbH