← All guides
GDPR8 min read3 July 2026

EU-US Data Privacy Framework (DPF): How SaaS Companies Transfer Data to the US After Schrems II

The EU-US Data Privacy Framework replaced Privacy Shield in July 2023. Here's what it covers, who can use it, how it compares to SCCs and BCRs, and what happens if it's challenged again.

The short version: DPF is the third attempt at EU-US data transfers

Transferring personal data from the EU to the US has been legally fraught since 2020, when the Court of Justice of the EU (CJEU) invalidated Privacy Shield in the Schrems II judgment (Case C-311/18). The court found that US surveillance law — specifically FISA Section 702 and Executive Order 12333 — gave US intelligence agencies access to EU personal data in ways that were incompatible with EU fundamental rights.

After two years of negotiations, the EU-US Data Privacy Framework (DPF) was adopted by the European Commission in July 2023 (Commission Implementing Decision 2023/1795). It works similarly to Privacy Shield: US companies self-certify through the US Department of Commerce, commit to DPF principles, and can receive personal data from the EU without needing Standard Contractual Clauses (SCCs) or other transfer mechanisms — as long as their certification is current.

As of 2026, the DPF is the most convenient transfer mechanism for SaaS companies with US-based hosting, US parent companies, or US customer data storage. But it comes with a Schrems III risk that everyone in compliance knows about.

Who can use the DPF

Only US companies can self-certify under the DPF. Specifically:

  • US companies subject to FTC jurisdiction (which covers most commercial entities) or US Department of Transportation jurisdiction (air carriers and ticket agents)
  • Companies must self-certify to the US Department of Commerce at dataprivacyframework.gov
  • Certification must be renewed annually
  • The company must have a designated contact for complaints and a privacy policy that references DPF

Companies not eligible: non-US entities (you can't self-certify as a UK or EU company), companies outside FTC jurisdiction (banks and financial institutions have their own regulators, telecoms are partly FCC-regulated). If you're a US-headquartered SaaS company, you very likely qualify.

How DPF compares to SCCs and BCRs

MechanismWho Can UseSetup EffortOngoing ObligationLegal Certainty
DPFUS companies (FTC/DOT jurisdiction)Low — self-certification onlineAnnual renewal; privacy policy update; complaint handlingHigh for now; Schrems III risk
SCCs (Module 1–4)Any company globallyMedium — contract signing + TIAPeriodic review; TIA update on law changeModerate — TIA adds operational burden
BCRsMultinational corporate groupsVery high — regulatory approval requiredGovernance; supervisory authority updatesHigh within the group
Adequacy (UK IDTA, etc.)Country-to-country basisNone — automatic if country is adequateMonitor adequacy status changesHigh while adequacy stands

DPF for SaaS: what you need to do

If your SaaS company is US-based and you transfer EU personal data to the US (storing in AWS us-east-1, running analytics on US servers, etc.), here's what DPF certification involves:

Step 1: Verify eligibility

Confirm your company is subject to FTC jurisdiction. Most commercial US companies are. Exceptions include banks (OCC/Fed jurisdiction), credit unions, telecoms (FCC-regulated portions), and non-profits not engaged in commercial activity. If in doubt, check with legal counsel.

Step 2: Update your privacy policy

Your public privacy policy must include:

  • A statement that you participate in the DPF and a link to the DPF list
  • The types of personal data collected and purposes
  • Data subject rights (access, correction, deletion, restriction)
  • Your designated contact for complaints
  • Information about your recourse mechanism (see below)
  • A statement that you are subject to the investigatory and enforcement powers of the FTC

Step 3: Implement DPF principles

The 7 DPF principles (similar to Privacy Shield):

  1. Notice — inform individuals what data is collected and how it's used
  2. Choice — provide opt-out for secondary use; opt-in for sensitive data
  3. Accountability for Onward Transfer — only transfer to third parties that provide equivalent protection (SCCs or DPF certification)
  4. Security — reasonable and appropriate measures to protect personal data
  5. Data Integrity and Purpose Limitation — data must be relevant and reliable
  6. Access — individuals can access, correct, and delete their data
  7. Recourse, Enforcement, and Liability — accessible, affordable, independent recourse mechanism

Step 4: Designate a recourse mechanism

You must provide EU individuals with an independent recourse mechanism for complaints. Options:

  • A free independent dispute resolution body (DPF-approved) — several are listed at dataprivacyframework.gov
  • EU Data Protection Authorities (EU DPAs) — you can commit to cooperate with EU DPAs
  • Binding arbitration (DPF Arbitration Panel) — for unresolved complaints

Step 5: Self-certify

Submit your self-certification at dataprivacyframework.gov. The annual fee varies by company size (roughly $75–$3,400 per year based on revenue). You'll need to provide your privacy policy URL, designated contact, recourse mechanism choice, and list of data types covered.

What DPF doesn't cover

Important limitations:

  • UK transfers — the UK-US Data Bridge (extension of DPF) covers UK-to-US transfers. It entered into force October 2023 under UK GDPR. US companies must separately certify for the UK extension.
  • Swiss transfers — a Swiss-US DPF extension exists as of July 2023. Similarly requires separate indication.
  • Sub-processors — if you use US sub-processors (AWS, Google Cloud, etc.), you need to ensure they either have their own DPF certification or you have SCCs in place. Your GDPR DPA must address this.
  • Non-US countries without adequacy — DPF only covers US transfers. Transfers to India, Brazil, or other non-adequate countries still need SCCs or other mechanisms.

The Schrems III risk: what to watch

Max Schrems (noyb.eu) has already announced his intention to challenge the DPF. The legal challenge is pending before the CJEU. The grounds are similar to Schrems II: FISA 702 surveillance powers remain largely unchanged; the new redress mechanism (the Data Protection Review Court, or DPRC) may not satisfy CJEU standards for effective remedy.

If the CJEU invalidates the DPF (Schrems III), US companies would again need to fall back on SCCs with Transfer Impact Assessments. Best practice: implement DPF now as your primary mechanism, but ensure your SCCs with EU customers and partners are also in place as a backup. Keep your TIA documentation current.

Practical GDPR compliance checklist for EU-US transfers

  • ☐ If US-based: DPF self-certification in place and renewed annually
  • ☐ UK-US Data Bridge extension certified if you have UK customers
  • ☐ Privacy policy updated with DPF disclosure
  • ☐ EU DPA or independent recourse mechanism designated
  • ☐ SCCs in place with EU data controllers (even with DPF as backup)
  • ☐ Sub-processor list maintained — verify each has DPF or SCCs in place
  • ☐ DPA (Data Processing Agreement) with EU customers references the transfer mechanism
  • ☐ Transfer Impact Assessment (TIA) documented for SCCs as Schrems III contingency
  • ☐ RoPA (Record of Processing Activities) updated to reflect transfer mechanism

For your GDPR Data Processing Agreement, use the GDPR DPA Generator. For your sub-processor list (which must reference transfer mechanisms), use the Sub-Processor List Generator. For your GDPR Transfer Impact Assessment (Schrems III contingency), use the GDPR Transfer Impact Assessment Generator. For a full GDPR compliance audit covering international transfers, use the GDPR Compliance Audit Generator.