The New EU-US Data Privacy Framework

By Edward Woodall

In the past couple of years, I’ve written about specific state and European Internet privacy laws in places like Virginia, Tennessee, California, and Europe and how each impacts U.S.-based businesses. Compliance with Europe’s privacy law, the GDPR, has proven particularly difficult for American companies. Recent developments may provide some relief – in July of this year, the new EU-US Data Privacy Framework (DPF) was promulgated. But the history of EU and US privacy law suggests that businesses should think twice before abandoning GDPR compliance for the DPF.

Privacy Shield And The GDPR

Before we dive into the specifics of DPF, businesses need to understand the history of the application of European privacy laws to American companies. Before 2020, American companies were able to comply with European law by participating in a voluntary legal framework called Privacy Shield. Privacy Shield provided some protections for Europeans’ personal data, but it was much less comprehensive and stringent than the GDPR.

But in July 2020, the Court of Justice of the European Union ruled in the Schrems II case and declared that Privacy Shield protections were insufficient for compliance with the GDPR – in effect, it canceled the Privacy Shield program. This is why American companies have been required to provide EU citizens and residents with a complete set of GDPR personal data protections and processes.

The DPF is intended to be the successor to Privacy Shield – its requirements are less strict than those of the GDPR; therefore,  American companies processing personal data from the EU should have a much easier time complying with the DPF than with the GDPR.

What Does The DPF Do?

While the GDPR requires businesses to provide extensive notices and comply with onerous processes (for example, conducting a lengthy assessment before moving data from an EU country to a non-EU country), the DPF is a much simpler framework. It allows companies to avoid most, but not all, of the GDPR obligations if they satisfy the DPF requirements. The key requirements of the DPF are:

  1. The company’s publicly available privacy policy must include a declaration of commitment to the “DPF Principles” of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.
  2. Individuals whose data is being processed must be informed of their rights.
  3. The company must provide free and accessible dispute resolution.
  4. The company must cooperate with the U.S. Department of Commerce in responding to DPF inquiries and requests.
  5. The company must comply with the GDPR’s data collection, retention, and processing purpose limitation provisions.
  6. The company will remain responsible for data transferred to third parties, and its contracts with any such third party must include specific terms.

If a business certifies to the federal government that it complies with the DPF requirements, it will be allowed to transfer and process protected personal data without full GDPR compliance.

Should You Rely On It?

Because the DPF is much less stringent than the GDPR, many companies are eager to adopt its framework. But experts have urged caution. Data privacy advocates in Europe have already declared their intentions to challenge the DPF in court and they will likely win at least a partial victory. The key takeaway is to maintain full GDPR compliance and wait until the Court of Justice of the European Union issues a ruling on the DPF. While the complexities of GDPR compliance far exceed the scope of this blog post, there are four key steps you can take to promote GDPR compliance:

  1. Provide every protected person with a notice of their rights.
  2. Use only approved standard contractual clauses when providing data to third parties like contractors or service providers.
  3. Only process data for the purposes for which it was originally collected.
  4. Make and enforce a compliant data retention and deletion policy – keep data no longer than is necessary.

For more information on GDPR compliance, click here.

The attorneys at Venn Law Group have experience helping businesses determine which Internet privacy laws apply and how these laws impact their operations. To learn more about how Venn Law Group can help you develop compliant data processing practices and contracts that work for your business, please contact us here.

Edward B. Woodall is an attorney at Venn Law Group who works in corporate law and commercial real estate, including leasing, financing, taxation, business structures, and dispute resolution. He is passionate about helping business owners solve a variety of complex legal problems and has performed more than 100 hours of pro bono work. In addition to his law degree, he also has a background in history and Spanish.

Stay informed about how business and legal intersect.

Sign up for our free monthly newsletter.

Our Location

Providence Park, Building H
10700 Sikes Place
Suite 120
Charlotte, NC 28277

Phone Number

(704) 274-1741

info@vennlawgroup.com

© 2026 Copyright Venn Law Group All Rights Reserved – Website Powered by Woland Web.

Privacy Policy

In Remembrance of Garth Dunklin

We at Venn Law Group are saddened to announce that our partner, mentor, and friend, Garth Dunklin, passed away on January 14, 2021.

As many attorneys and clients in Charlotte and all over North Carolina can attest, Garth was a true “lawyer’s lawyer.” He relished in the practice of law, teaching legal and real estate concepts, and just being a lawyer serving the community.

Garth’s accolades after over 30 years of practice are simply too many to mention in full, but we particularly want to note that over the years he served on the Boards of the North Carolina Association of REALTORS®, the North Carolina CCIM (Certified Commercial Investment Member) and the Charlotte Region Commercial Board of REALTORS® (“CRCBR”). Garth taught classes for CRCBR, among other groups, for over 23 years, and wrote many instructional texts and forms. He was also an adjunct professor for the UNC-Charlotte Belk College of Business, and a Board Member and former Chair of the North Carolina Rules Review Commission.

Garth was a consummate legal professional, and always endeavored to provide quality service and counsel to his clients and colleagues. He will be missed greatly by everyone at the firm and the Charlotte real estate community. Having practiced with Garth and knowing him for close to 20 years, we, in particular, will miss his boisterous laugh and patience as a mentor. We will also fondly remember the first few days of this firm spent at its “World Headquarters”… which was his kitchen table.

We want to publicly thank Garth’s wife, Helen, and his children, Macy and Garth, Jr., for sharing him with us and to assure them that there is a large community of people that will miss Garth with them.

Garth’s family has asked that in lieu of flowers, those that would like may make contributions in Garth’s honor to the American Cancer Society.

There will be an in-person service to honor Garth on Saturday, January 23, 2020, at 11:00 am, at Heritage Funeral Home located at 3700 Forest Lawn Dr, Matthews, NC 28104. Masks will be required. The service will also be live-streamed as well for those that are not able to attend in person. Below is a link to Garth’s obituary, details about the service, and how to give flowers or donations in his name.

Link to Garth's Obituary

We at Venn Law Group are saddened to announce that our partner, mentor, and friend, Garth Dunklin, passed away on January 14, 2021.

There will be an in-person service to honor Garth on Saturday, January 23, 2020, at 11:00 am, at Heritage Funeral Home located at 3700 Forest Lawn Dr, Matthews, NC 28104. Masks will be required. The service will also be live-streamed as well for those that are not able to attend in person. Below is a link to Garth’s obituary, details about the service, and how to give flowers or donations in his name.

Link to Garth's Obituary