What Is the EU-US Data Privacy Framework? #

Background: Privacy Shield and Schrems II #

Privacy Shield (2016): An agreement that simplified data transfers to the US.

Schrems II ruling (2020): The EU Court of Justice declared Privacy Shield invalid. Reason: US surveillance law (Section 702 FISA and Executive Order 12333) allows intelligence agencies broad access to data held by US providers, without redress mechanisms for EU citizens that meet standards.

Consequences: Organisations suddenly had to reassess cloud services (AWS, Microsoft, Google). Massive legal uncertainty arose for EU organisations using US cloud.

EU-US DPF (2023): The European Commission adopted an adequacy decision on 10 July 2023, the third attempt to put transatlantic data transfers on a stable footing.

How the DPF Works #

US organisations joining the DPF must provide additional guarantees:

  1. Data Protection Review Court (DPRC): A dedicated US review body that hears data protection complaints from EU individuals, operational since 2023
  2. Restrictions on signals intelligence: US intelligence collection must be necessary and proportionate (Executive Order 14086)
  3. Self-certification: US organisations certify annually with the US Department of Commerce

The Critical Problem: CLOUD Act Still Applies #

The US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 means: US providers must hand over data upon a valid US court order, regardless of where the servers are located. An EU server location does not protect data held by a US provider from a CLOUD Act order.

Example: An EU organisation stores customer data at AWS in Frankfurt. A US court orders AWS to produce specific data. AWS is obliged to comply under the CLOUD Act, even though the data never left the EU. The provider is caught between conflicting legal obligations, and the customer carries the compliance risk.

The DPF governs commercial data transfers and intelligence collection safeguards. It does not suspend the CLOUD Act. The structural conflict remains.

The Court Challenges: Latombe and What Comes Next #

Latombe v Commission (2025): French MP Philippe Latombe challenged the DPF adequacy decision. On 3 September 2025, the EU General Court dismissed the challenge and upheld the framework.

The appeal: Latombe appealed to the EU Court of Justice on 31 October 2025. The case is pending. The Court of Justice has historically been stricter than the General Court on US surveillance: it struck down both Safe Harbor (Schrems I) and Privacy Shield (Schrems II).

noyb / Max Schrems: The privacy organisation noyb has stated it is reviewing a broader challenge, arguing that changes in US oversight bodies since 2025 weaken the DPF’s foundations.

If the Court of Justice overturns the DPF, the legal basis for many US transfers disappears again. Contingency planning is prudent, not paranoid.

Practical Implications for IT Decision-Makers #

Scenario 1: Non-critical, non-personal data in US cloud. With DPF: fine. Risk: low.

Scenario 2: Personal data in US cloud. Currently permissible; if the pending appeal succeeds, invalid again. Risk: medium, rapid migration would be needed upon a ruling.

Scenario 3: Highly sensitive data (medical, financial). Permissible but exposed to legal and political risk. Recommendation: EU providers or on-premises infrastructure.

What Is the Right Strategy? #

Option 1: US hyperscalers with DPF. Lower cost and wide feature set, but the CLOUD Act risk remains and the pending CJEU appeal could change everything. Workable for non-critical data.

Option 2: European providers. Not subject to the CLOUD Act, no third-country transfer issue under the , more stable legal footing. Often more expensive, smaller ecosystem. Recommended for personal, financial and medical data.

Option 3: Hybrid. Sensitive data stays on-premises under your physical control, the cloud is used where it adds value. Independent of the outcome of any future ruling. Recommended for most organisations.

Concrete Steps: Data Classification #

  1. Classify your data per system: what is critical, sensitive, non-critical?
  2. Decide per category: critical data only with EU providers or on-premises; sensitive data with DPF-certified providers or EU providers, with documented risk assessment; non-critical data anywhere.
  3. Action plan: classification, current-state inventory, migration plan for critical data, cyber policy check, legal review.

Frequently Asked Questions #

Can organisations continue to use US cloud? Yes, with DPF it is currently legally permissible. The General Court confirmed the framework in September 2025. But the appeal before the Court of Justice keeps the risk alive.

What happens if the Court of Justice invalidates the DPF? Thousands of organisations would need an alternative transfer basis quickly (standard contractual clauses plus transfer impact assessments), or would need to migrate.

Does data encryption protect against this? Partially. If you control the encryption keys yourself, access by third parties yields only ciphertext. If the provider manages your keys, the protection is limited.

Further Resources #

→ What Is ? Definition and Three Dimensions (/en/blog/was-ist-datensouveraenitaet/) → US CLOUD Act Explained: Why Server Location Alone Does Not Protect You (/en/blog/us-cloud-act-erklaert/) → and Cloud Storage: Legally Compliant Handling of Personal Data (/en/blog/dsgvo-cloud-speicherung/) → Silent Brick System: On-Premises (/en/produkte/silent-brick-system/)

Disclaimer

This article was written by our editorial team and edited using AI. It provides a general overview and does not constitute legal advice – we recommend seeking professional advice for your specific situation.