On 9 October 2024, the European Commission released a detailed report evaluating the first periodic review of the EU–US Data Privacy Framework (DPF). The review, carried out in collaboration with European Data Protection Authorities (DPAs), aimed to assess the implementation and operational effectiveness of the framework, which governs the protection of personal data transferred from the European Union to organisations in the United States.

The review took place after the DPF has been in operation for one year. The DPF addresses concerns that personal data leaving EU borders is subject to sweeping US government surveillance (→eucrim 2/2023, 152-153). It is the meanwhile third attempt to establish legal certainty for data transfers from the EU to the United States after previous such regimes — the EU–US Privacy Shield (2016–2020) and the International Safe Harbor Privacy Principles (2000–2015) — were declared invalid by the European Court of Justice (CJEU (rulings in Schrems I (→eucrim 3/2015, 85) and Schrems II (→ eucrim 2/2020, 98-99).

The Commission's review report acknowledged significant progress made by the United States in implementing the DPF since its adoption. The Commission stated that the United States implemented safeguards to limit access to personal data by US intelligence authorities to what is necessary and proportionate to protect national security. Key developments also included the establishment of a Data Protection Review Court, designed to handle complaints from EU citizens regarding the misuse of their personal data by US entities. This court was recognised as a crucial mechanism for ensuring independent and effective redress. Furthermore, the report noted robust enforcement actions and compliance commitments from participating US organisations, which collectively enhance the framework's credibility and functionality.

Despite these advancements, the review identified areas requiring further refinement to ensure the DPF’s effectiveness and its continued alignment with the EU's rigorous data protection standards. Specifically, the Commission pointed out the need for clearer guidance to US organisations to help them fully understand and comply with their obligations under the framework. Additionally, the report called for enhanced oversight mechanisms to proactively monitor adherence to the framework’s principles and to address instances of non-compliance more effectively.

The Commission also emphasised the importance of addressing unresolved issues, particularly those related to data access by US public authorities for national security purposes. While the review highlighted that safeguards had been introduced, such as the principles outlined in Executive Order 14086, the report recommended sustained efforts to ensure transparency, proportionality, and necessity in data access practices.

In its conclusions, the Commission underlined the importance of ongoing dialogue and cooperation between the EU and US to maintain trust in transatlantic data transfers. It reaffirmed its commitment to working closely with US authorities to address the identified gaps and to ensure that the DPF continues to meet the high standards of data protection expected by EU citizens.

Looking ahead, the Commission plans to conduct regular reviews of the framework and to engage with stakeholders, including DPAs, businesses, and civil society, to ensure the DPF evolves in line with technological advancements and emerging privacy challenges. The next review is expected to evaluate the progress made in addressing the recommendations outlined in this initial assessment, with the goal of fostering a reliable and secure transatlantic data transfer environment.