The Current Framework
Following the invalidation of Privacy Shield by the CJEU in Schrems II, the EU-US Data Privacy Framework (DPF) was adopted to provide an adequacy decision for certified US organizations. However, the DPF remains legally vulnerable, and organizations should not rely on it as their sole transfer mechanism.
Layered Compliance Approach
Best practice requires implementing Standard Contractual Clauses (SCCs) in parallel with DPF certification. Conduct Transfer Impact Assessments (TIAs) for all significant data flows and document the legal bases and supplemental measures applied.
Enforcement Trends
Data Protection Authorities in France, Ireland, and Germany have issued significant enforcement decisions against US cloud providers. Organizations must ensure that vendor contracts include adequate data processing terms and that sub-processor lists are current.