EU-US DPF
1 min
The EU-US Data Privacy Framework replaced Privacy Shield following its Schrems II invalidation. The framework rests on two pillars: (1) the DPF Principles that certified US companies must follow (similar to Privacy Shield), and (2) Executive Order 14086 which imposes constraints on US intelligence activities. EO 14086 limits signals intelligence to specified national security objectives, requires proportionality assessment, and creates a two-tier redress mechanism culminating in the Data Protection Review Court (DPRC) for EU citizens to challenge surveillance. Companies must self-certify through the Department of Commerce. However, the framework faces uncertainty: critics argue EO 14086’s limitations are insufficient and can be modified by future presidents, FISA 702 and CLOUD Act powers remain intact, and the DPRC’s independence is questioned. A Schrems III challenge is anticipated. Organizations should treat DPF as enabling certain transfers while maintaining awareness it may be invalidated, similar to its predecessors.