Security Embedded

Will the Transatlantic Data Privacy Framework Hold?

Jorge Maiquez
by Jorge Maiquez
13 min read
September 18, 2023

The EU-US Data Privacy Framework, also known as the DPF, is the legal mechanism that lets US-based companies receive personal data from EU customers without breaching the GDPR. It replaced the Privacy Shield in July 2023, after the Court of Justice of the European Union (CJEU) struck down its predecessor in the Schrems II ruling.

In April 2026, the DPF is still in force. It survived its first court challenge in September 2025. Even so, its long-term future remains uncertain for three reasons. First, it depends on a US executive order that any sitting president can revoke or quietly hollow out. Second, the redress mechanism it created is being challenged on grounds of judicial independence. Third, noyb (Max Schrems' organisation) has signalled it is reviewing its options for a broader CJEU challenge that targets the framework's structural foundations, with FISA Section 702 as the substantive engine of any such case.

If you process EU personal data through any US-based service (video conferencing, cloud storage, analytics, customer support), this article gives you a current view of where the DPF stands and what your business should do about it.

Table of contents

  1. A short history of EU-US data transfers
  2. What the EU-US Data Privacy Framework actually is
  3. Where the DPF stands in 2026
  4. The risks that could bring it down
  5. What businesses should do now
  6. How Digital Samba handles EU-US data transfers
  7. Frequently asked questions

A short history of EU-US data transfers

For more than two decades, EU and US authorities have built and rebuilt the legal scaffolding that keeps personal data flowing across the Atlantic. Each successive framework has been struck down in turn, usually by the same Austrian lawyer.

  • 2000: Safe Harbor. The first attempt. US companies could self-certify their compliance with EU data protection principles and receive personal data from the EU on that basis.

  • 2013: Snowden disclosures. Edward Snowden's revelations about NSA mass surveillance programmes (PRISM, UPSTREAM) made it publicly known that US intelligence agencies could obtain EU personal data held by US-based providers.

  • 6 October 2015: Schrems I. The CJEU invalidated Safe Harbor in Case C-362/14 (Schrems v Data Protection Commissioner). The court ruled that the framework did not protect EU data subjects from US government surveillance.

  • 12 July 2016: Privacy Shield. A replacement framework with stronger commitments and a US ombudsperson role to handle EU complaints.

  • 16 July 2020: Schrems II. The CJEU invalidated Privacy Shield in Case C-311/18. The court ruled that US surveillance laws (FISA Section 702 and Executive Order 12333) still gave US authorities access to EU personal data without sufficient safeguards or redress for EU data subjects.

  • 4 June 2021: updated Standard Contractual Clauses (SCCs). The European Commission released new SCCs that companies could use as an alternative legal basis for transfers, paired with supplementary measures and a Transfer Impact Assessment (TIA).

  • 22 May 2023: Meta fined €1.2 billion. The Irish Data Protection Commission fined Meta Ireland €1.2 billion for transferring Facebook user data to the US under SCCs without sufficient safeguards. The largest GDPR fine to date.

  • 10 July 2023: DPF adopted. The European Commission adopted the EU-US Data Privacy Framework as its third attempt at an adequacy decision for the US. The framework rests on US Executive Order 14086, which created new safeguards on US intelligence collection and a two-layer redress mechanism: an internal Civil Liberties Protection Officer review, and a Data Protection Review Court.

  • October 2024: first annual review. The European Commission, the European Data Protection Board (EDPB), and US counterparts conducted the first annual review of the DPF. The Commission concluded the framework was working as intended, with some areas flagged for continued monitoring.

  • January 2025: Trump returns to the White House. Executive Order 14086 was issued by President Biden in 2022. As a presidential order rather than a statute, it can be revoked or amended by any sitting president. The Trump administration's approach to the order was watched closely throughout 2025.

  • 3 September 2025: Latombe challenge dismissed. The EU General Court dismissed the action brought by French Member of Parliament Philippe Latombe to annul the DPF (Case T-553/23). The court confirmed the framework's validity at the time the European Commission adopted the adequacy decision in 2023. Latombe lodged an appeal on 31 October 2025, which is now pending. The General Court ruling provides immediate legal stability, but it is not the final word: it confined itself to the facts as they stood in 2023.

  • Late 2025 to early 2026: noyb signals broader challenge. noyb publicly stated that the Latombe challenge was too narrow and that it is reviewing options for a more expansive structural challenge, which could be a CJEU referral, a civil-injunction route against an individual company, or political pressure on the Commission to suspend the framework. The press calls this hypothetical case 'Schrems III'.

What the EU-US Data Privacy Framework actually is

In legal terms, the DPF is an adequacy decision under Article 45 of the GDPR. The European Commission has determined that the United States, in the specific case of organisations that self-certify under the framework, provides a level of personal data protection 'essentially equivalent' to the GDPR.

In practice, the DPF works in three layers:

  • Self-certification. US companies that want to receive EU personal data under the framework apply to the US Department of Commerce. They commit to the DPF Principles, which include obligations on notice, choice, accountability for onward transfer, security, data integrity, access, and recourse.

  • US government safeguards. Executive Order 14086 imposes limits on US signals intelligence collection: collection must be necessary and proportionate, must serve a legitimate national security objective listed in the order, and is subject to oversight by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (ODNI).

  • Redress mechanism. Two layers. First, EU complaints route through the Civil Liberties Protection Officer, who has authority to investigate and impose binding remedial measures. Second, decisions can be appealed to the Data Protection Review Court (DPRC), a judicial body within the US Department of Justice.

For EU businesses, the practical effect is that personal data can be transferred to a DPF-certified US company without the SCC plus TIA plus supplementary measures paperwork required for any other US transfer.

Where the DPF stands in 2026

Three signals are worth tracking right now.

  • The Latombe ruling holds, but an appeal is pending. The General Court confirmed that the European Commission acted within its discretion in adopting the adequacy decision in 2023. Latombe argued that EO 14086 did not provide sufficient safeguards and that the DPRC lacked the independence required for genuine judicial review. The court rejected both arguments on the law as it stood at the time of adoption. That qualifier matters: the ruling does not foreclose a future challenge based on subsequent events. Latombe lodged an appeal on 31 October 2025.

  • The first annual review was positive but conditional. The Commission's 2024 review concluded that the framework was operating as intended, with one notable observation: ongoing US legislative changes and executive-branch actions warranted continued attention. In its parallel report of 4 November 2024, the EDPB flagged the redress mechanism's transparency to complainants as an area for improvement.

  • Executive Order 14086's stability is the open question. EO 14086 was signed by President Biden on 7 October 2022. Any US president can revoke it. More importantly, its safeguards can be hollowed out without revoking the order itself. The clearest example to date came on 27 January 2025, when the Trump administration removed the Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), leaving the body without a quorum. PCLOB is one of the oversight structures the European Commission's adequacy assessment specifically relied on. As of April 2026 it still cannot issue official findings. The EDPB and Members of the European Parliament raised formal concerns; the Commission has so far declined to suspend the DPF.

For now, the DPF is operative and EU-US transfers under the framework are lawful. Businesses can rely on it for current operations. The question is what to do about the structural risks.

Before working through them, it is worth ranking by urgency. The EO 14086 vector (whether through revocation or hollowing-out) can move in days or weeks: a single signature, or further oversight changes like the PCLOB firings, can shift the picture overnight. FISA Section 702 reauthorisation is a quarterly-to-annual variable, and the next cliff is days away as this article goes out. A 'Schrems III' referral and CJEU ruling typically takes 18 to 36 months from filing. All three risks are real; only the first two are near-term.

The risks that could bring it down

Risk 1: EO 14086 revocation or hollowing-out

EO 14086 is the load-bearing legal foundation for the national-security safeguards the DPF rests on (the limits on intelligence collection and the redress mechanism). It is also a presidential order, not a statute. Revocation requires no congressional action, no court ruling, and no public consultation. A single signature can void the safeguards the European Commission relied on to grant adequacy.

Revocation is the dramatic version. The quieter version is the one already happening: oversight bodies the Commission relied on can be defanged without the order itself being touched. The PCLOB quorum collapse in January 2025 is the live example. If further oversight structures are weakened in the same way, the EDPB or the Commission may at some point conclude that the safeguards as actually implemented no longer match what was assessed in 2023.

If EO 14086 is revoked, or if the Commission decides the safeguards have been hollowed out beyond repair, the adequacy decision is unlikely to survive. EU businesses would then face the same SCCs plus TIA plus supplementary measures regime they had between Schrems II and the DPF adoption.

Risk 2: Schrems III, with FISA 702 as the engine

noyb has publicly stated that the Latombe challenge was too narrow and is reviewing options for a broader structural case. The likely arguments target the same issues that brought down Privacy Shield: that FISA Section 702 still permits bulk collection of EU personal data, that the redress mechanism does not provide effective judicial review by an independent court, and that EU data subjects do not have the right of action against US government surveillance that EU constitutional law requires.

FISA 702 is the substantive ammunition for any such case, and it is on a live timer. The statute was reauthorised by RISAA on 20 April 2024 with a two-year sunset, meaning it was due to sunset or be reauthorised on 20 April 2026, days before this article goes out. RISAA also broadened the definition of foreign intelligence information and expanded the universe of US entities that can be compelled to assist. Whatever Congress does in this reauthorisation cycle is the most consequential single legislative event for DPF survival in 2026. A reauthorisation that broadens collection further would strengthen Schrems III arguments. A reauthorisation that narrows the authority would help defend the DPF.

The CJEU has struck down both predecessor frameworks on these arguments. There is no obvious reason to expect a different result if a broader noyb challenge reaches the court. Timing is the variable: a CJEU referral and ruling typically takes 18 to 36 months from filing.

Risk 3: DPRC independence

The Data Protection Review Court is a judicial body inside the US Department of Justice. noyb has consistently argued that it does not meet the EU constitutional standard for an independent and impartial tribunal. That argument has not yet been tested in litigation that goes after the framework directly. If a CJEU referral squarely addresses the DPRC's structural independence and rules it insufficient, the redress mechanism collapses and the adequacy decision goes with it.

What businesses should do now

The honest answer is that the DPF is currently lawful and you can rely on it for current operations. The careful answer is that you should not rely on it alone.

  • Maintain Transfer Impact Assessments for material transfers. TIAs are required for transfers under SCCs and BCRs, but it is good practice to have them on file for DPF-based transfers as well. If the framework falls, you already have the documentation you need to operate under SCCs.

  • Audit your sub-processor exposure. Every US-based SaaS vendor in your stack with access to EU personal data is a DPF dependency point. Map them. Ask each one which legal basis they rely on for transfers and what their contingency plan is for an invalidation event.

  • Document a contingency plan. If the DPF is invalidated, do not assume a comfortable transition window. After Schrems II, the EDPB explicitly declined to grant a grace period; past invalidations have produced varying enforcement timelines, sometimes weeks, sometimes months, depending on the DPA and the operator. The plan must already be on the shelf when the news breaks.

  • Prefer EU-headquartered providers for new procurement where the use case allows. This is not a moral statement; it is a risk reduction. Vendors that operate without DPF reliance are immune to DPF invalidation events by definition. They are also outside the reach of the US CLOUD Act, which lets US authorities compel US-based providers to hand over data regardless of where the data is stored. An EU-located but US-controlled provider is still exposed to that demand. EU-headquartered providers are not. For categories where strong EU alternatives exist (video conferencing, file storage, email, productivity), the procurement decision is straightforward on transfer-law grounds, although integration cost and migration friction still need their own assessment.

  • Use a structured vendor-risk checklist. Generic 'are you GDPR compliant?' questions are not enough. The relevant questions are about sub-processor geography, encryption key control, FISA 702 and CLOUD Act exposure, and migration plans.

How Digital Samba handles EU-US data transfers

We are a video conferencing vendor, so what follows is partly a description of our own setup. The point is to show what an answer that doesn't depend on the DPF actually looks like in practice.

Most US-based video conferencing vendors (Zoom, Google Meet, Microsoft Teams) serve EU customers under the DPF. Their legal mechanism for transferring EU personal data to the US relies on DPF self-certification. If the DPF falls, those services need to switch to SCCs with substantial supplementary measures, document new TIAs, and in some cases negotiate new contracts with their EU customers. They also remain exposed to the CLOUD Act regardless of where their EU customers' data is physically stored.

Digital Samba is not in that position. We do not self-certify under the DPF because we do not need to: EU personal data does not leave the EU on our infrastructure, and we are not a US-controlled entity that the CLOUD Act can reach.

  • Where data lives. Production servers run on Leaseweb (Amsterdam, Netherlands) and Scaleway (Netherlands, France, Poland). Backup and disaster recovery run on Leaseweb (Frankfurt, Germany). All primary, secondary, and disaster-recovery infrastructure is inside the EU/EEA.

  • Encryption. TLS 1.3 in transit. AES-256-GCM at rest. DTLS-SRTP for media. Optional end-to-end encryption available for customers who want full key control.

  • Sub-processors. The full list is published in the Data Processing Agreement and the Security White Paper. Every sub-processor with access to personal data operates inside the EU.

  • The DPF question on our risk register. It is not on it. Whether the DPF holds, falls, or is replaced, the legal basis on which we serve EU customers does not change. We rely on the GDPR's intra-EU regime, not on adequacy decisions for third countries.

This is the practical reason DPOs at GDPR-sensitive customers (healthcare, education, government, legal services) choose Digital Samba over US-based alternatives. They choose us not because we are 'more compliant', but because the DPF risk that sits on every other vendor's risk register simply does not appear on ours.

For more detail, see our Security White Paper and GDPR-compliant video conferencing page.

The practical takeaway

Plan for the DPF to fail; act as if it won't. Keep your TIAs up to date, know which of your vendors are DPF-dependent, and have a contingency plan that does not assume a generous transition window. For categories where EU-headquartered alternatives meet the functional requirement, the procurement-risk argument has already been made for you.

Frequently asked questions

What is the EU-US Data Privacy Framework in plain English?

The DPF is a legal arrangement that allows US-based companies to receive personal data from the EU without violating the GDPR, provided they self-certify and follow the DPF Principles. It replaced the Privacy Shield, which the CJEU struck down in 2020.

Is the DPF still valid in 2026?

Yes. The DPF is in force as of April 2026. It survived its first judicial challenge (the Latombe case) on 3 September 2025, although an appeal was lodged on 31 October 2025 and is pending. Several structural risks remain that could change the picture.

What is Schrems III?

Schrems III is the informal name for a hypothetical future CJEU case that noyb (Max Schrems' organisation) has signalled it may pursue. noyb has publicly stated that the Latombe challenge was too narrow and that a broader structural challenge against the DPF is under consideration. No formal filing has been confirmed as of April 2026.

What happens if the DPF is invalidated?

If the DPF is invalidated, EU-US data transfers fall back to Standard Contractual Clauses (SCCs) plus a Transfer Impact Assessment plus supplementary measures. This is the same regime that applied between Schrems II (July 2020) and DPF adoption (July 2023). There is no guaranteed grace period. After Schrems II the EDPB explicitly declined to grant one; past invalidations have produced varying enforcement timelines depending on the DPA and the operator concerned, sometimes weeks, sometimes a few months.

Who is noyb and why does this organisation matter?

noyb (None Of Your Business) is an Austrian non-profit co-founded by Max Schrems in 2017. Schrems himself personally drove the Schrems I case (which struck down Safe Harbor in 2015, before noyb existed) and the Schrems II case (which struck down Privacy Shield in 2020). Since its founding, noyb has supported and continued that work, and is now the organisation publicly considering a broader challenge to the DPF.

Should we keep using US SaaS vendors that rely on the DPF?

You can rely on the DPF for current operations because it is currently lawful. However, you should maintain Transfer Impact Assessments, document a contingency plan for invalidation, and consider EU-headquartered alternatives where they meet your functional requirements. Sole reliance on the DPF without a fallback plan is a risk.

What is Executive Order 14086 and why does it matter?

Executive Order 14086 is the US presidential order signed on 7 October 2022 that creates the safeguards (limits on signals intelligence, redress mechanism) that the European Commission relied on when it granted adequacy to the DPF in 2023. As a presidential order rather than a statute, it can be revoked by any sitting US president without congressional action. Its safeguards can also be eroded without revoking the order itself, for example by changing the composition of the oversight bodies the Commission relied on.

Does Digital Samba use the DPF?

No. Digital Samba does not self-certify under the DPF because we do not need to. Our infrastructure is entirely inside the EU: production on Leaseweb (Netherlands) and Scaleway (EU), backup on Leaseweb (Germany). EU personal data does not leave the EU on our platform, so the DPF's stability is not on our customers' risk register.

What should a GDPR-aware buyer do today?

Audit which of your vendors rely on the DPF. For each one, document the legal basis for transfer, the contingency plan if the DPF is invalidated, and the level of US government access exposure (FISA 702, CLOUD Act). For new procurement in categories where strong EU alternatives exist, consider those alternatives first.

Back to top
Previous story
← How to Configure Your Team Settings with the Digital Samba Developer API
Next story
Comparing RTMP vs. RTSP →
Data Privacy Trends in 2026: Navigating the Future of Digital Protection
Data Privacy in 2025 Innovations, Regulations, and Best Practices - Digital Samba
Security

Data Privacy Trends in 2026: Navigating the Future of Digital Protection

June 26, 2024 13 min read
AI and Data Privacy: Challenges, Risks & GDPR-Compliant Solutions
AI and Data Privacy - Digital Samba
Video Conferencing

AI and Data Privacy: Challenges, Risks & GDPR-Compliant Solutions

June 11, 2024 16 min read
Unlocking Privacy Prowess: Why US Firms Should Pay Attention to GDPR
Unlocking Privacy Prowess Why US Firms Should Heed GDPR - Digital Samba
Security

Unlocking Privacy Prowess: Why US Firms Should Pay Attention to GDPR

October 13, 2023 3 min read