EU-US Data Privacy Framework
The EU-US Data Privacy Framework (DPF) is the mechanism, underpinned by a 2023 European Commission adequacy decision, that allows personal data to flow from the EU to US companies that self-certify to its principles. It replaced the invalidated Privacy Shield. This page explains how the DPF enables transfers relevant to analytics and why it stays under scrutiny.
What the DPF is
In July 2023 the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework, concluding that the US ensures an adequate level of protection for personal data transferred to US organisations certified under the framework. It followed US commitments including new safeguards and redress mechanisms for EU individuals regarding signals-intelligence access.
US companies join by self-certifying to the DPF principles and appearing on the official DPF list maintained by the US Department of Commerce.
Why it remains under review
The DPF is the third attempt at an EU-US transfer arrangement, after Safe Harbor and Privacy Shield were both struck down. Privacy advocates have already signalled legal challenges, and the adequacy decision is subject to periodic review by the Commission. Organisations relying on it should monitor its status and keep alternative mechanisms, like SCCs, available as a fallback.
- Backed by a 2023 Commission adequacy decision
- US firms self-certify and appear on the DPF list
- Subject to legal challenge and periodic review
How it appears in analytics and logs
If a US vendor is listed on the active DPF list, transfers to it can rely on the adequacy decision; if not, you typically fall back to SCCs plus an assessment.
Diagnostic use case
Check whether a US analytics vendor is DPF-certified, which can provide a transfer basis without separate SCCs for data sent to that vendor.
What WebmasterID can help detect
Keeping measurement first-party and in-region reduces dependence on any single transfer framework, including the DPF.
Common mistakes
- Assuming any US vendor qualifies without checking the DPF list.
- Treating the DPF as permanent given Schrems history.
- Dropping SCC fallbacks entirely while relying on the DPF.
Privacy and accuracy notes
This page is educational and not legal advice. The DPF's standing has been challenged and could change; verify a vendor's current certification and the framework's status.
Related pages
- Schrems II and analytics transfers
Schrems II is the 2020 Court of Justice of the EU judgment that invalidated the EU-US Privacy Shield and held that Standard Contractual Clauses remain valid only with a case-by-case assessment of the destination country's surveillance laws. Its reasoning later drove regulator decisions against certain US-hosted analytics. This page explains the ruling and its analytics impact.
- Standard contractual clauses (SCCs)
Standard Contractual Clauses (SCCs) are model data-protection contract terms adopted by the European Commission that provide a lawful basis for transferring personal data outside the EEA to countries without an adequacy decision. They are commonly used when analytics data flows to vendors abroad. This page explains their role and the assessment that accompanies them.
- Cross-border data transfers in analytics
The GDPR restricts transfers of personal data outside the EU/EEA unless a valid mechanism applies — an adequacy decision, Standard Contractual Clauses, or another safeguard. Analytics that ships data to servers abroad therefore raises a transfer question, made sharper by case law on access by foreign authorities. Keeping data in-region or minimising it reduces the issue. This is educational, not legal advice.
- Privacy-first analytics
In-region measurement that reduces transfer reliance.
Sources and verification notes
- European Commission — EU-US Data Privacy Framework adequacy decisionOfficial adequacy decision and background.
- US Department of Commerce — Data Privacy Framework ProgramCertification list and program details.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.