Is the EU-US Data Privacy Framework Still Valid? Where Things Stand in 2026
The EU-US Data Privacy Framework survived its first court challenge in 2025, but a CJEU appeal, a gutted oversight board, and a FISA reauthorization fight leave its future uncertain. Here's the state of play.
Tools mentioned
If your marketing stack relies on US-based tools, the EU-US Data Privacy Framework (DPF) is probably the legal mechanism keeping those data transfers lawful. So it matters that, in mid-2026, the framework is standing on noticeably shakier ground than it was when the European Commission adopted it.
The short version: the DPF is still valid law today. But it survived its first court challenge only narrowly in scope, a second and more dangerous challenge is now pending at the EU's highest court, and two of the framework's underlying US safeguards have been weakened since early 2025. Here's what actually happened, and what it means for your stack.
A Quick Recap: What the DPF Is
The EU-US Data Privacy Framework, adopted by the European Commission on July 10, 2023, is an adequacy decision under Article 45 GDPR. It allows personal data to flow from the EU to US companies that self-certify under the framework, without needing Standard Contractual Clauses or a Transfer Impact Assessment for those specific transfers.
It is the third attempt at a transatlantic data deal. Its two predecessors, Safe Harbor (struck down in 2015) and Privacy Shield (struck down in 2020 by Schrems II), were both invalidated by the Court of Justice of the European Union. That history is the reason nobody serious treats the DPF as permanent.
What Changed in 2025
Two developments in 2025 reshaped the picture.
The Latombe ruling (September 2025): the DPF survives, for now
On September 3, 2025, the EU General Court dismissed a challenge brought by French Member of Parliament Philippe Latombe (Case T-553/23, Latombe v Commission). The Court upheld the adequacy decision, finding that:
- The US Data Protection Review Court (DPRC) was sufficiently independent and impartial to provide redress
- US law placed adequate limits on bulk data collection by intelligence agencies
- Protections for data security and automated decision-making were substantially equivalent to EU standards
This was the first judicial validation of the DPF, and it was good news for the framework. But there are two important caveats. First, the General Court assessed the situation "as it stood" at the time of the 2023 adequacy decision, not the situation today. Second, the General Court is not the final word.
The PCLOB crisis: a safeguard quietly disabled
On January 27, 2025, three of the five members of the Privacy and Civil Liberties Oversight Board (PCLOB) were removed, leaving the board without a quorum. The PCLOB is not a minor detail; it is one of the institutional safeguards the European Commission relied on when it judged US protections "adequate."
Without a quorum, the PCLOB cannot:
- Conduct the annual reviews of Executive Order 14086 compliance that the order itself requires
- Fulfil its consulting role in the appointment of DPRC judges (the redress mechanism the Latombe court praised)
Both the European Data Protection Board (EDPB) and the European Commission have flagged the board's incapacity as a concern for the framework's ongoing adequacy. The redress system the General Court found "adequate" in September is, in practice, operating with one of its supporting institutions disabled.
What's Happening in 2026
The story did not end with the General Court.
The CJEU appeal is pending. Latombe appealed the General Court's decision to the Court of Justice of the European Union in October 2025. As of mid-2026, no hearing date has been announced. This matters because the CJEU, not the General Court, is the body that struck down both Safe Harbor and Privacy Shield. It has consistently been far more skeptical than the lower court about US surveillance practices and the real-world effectiveness of redress mechanisms. A "Schrems III" outcome is exactly the scenario the privacy organization noyb has signaled it expects.
Section 702 is in limbo. FISA Section 702, the surveillance authority at the heart of every Schrems case, was reauthorized for two years in April 2024 (under RISAA). That reauthorization lapsed in April 2026. Congress passed a short-term 45-day extension to keep the authority operational through mid-June 2026 while it debates a longer-term renewal. The instability around 702 is precisely the kind of moving target that makes any adequacy finding fragile.
Put together: the framework is valid today, but it depends on a redress system missing a key institution, rests on a surveillance law that is being renegotiated month to month, and faces review by the one court most likely to invalidate it.
What This Means for Your Marketing Stack
None of this requires panic. It requires a plan. The mistake to avoid is the one many teams made before Schrems II: treating a single legal mechanism as a permanent foundation and having no fallback when it disappears overnight.
If you rely on the DPF, take three steps now.
1. Know which of your vendors actually depend on it. Any US-headquartered tool processing EU personal data is in scope: Google Analytics, HubSpot, Mailchimp, Salesforce, and most US SaaS. Confirm each is actually DPF-certified at dataprivacyframework.gov rather than assuming it.
2. Keep a fallback transfer mechanism in place. Don't rely on the DPF alone. Ensure Standard Contractual Clauses (the 2021 version) and a completed Transfer Impact Assessment exist for high-risk vendors, so an invalidation doesn't leave you instantly non-compliant. Our Schrems II checklist walks through this step by step.
3. Reduce the dependency where it's cheap to do so. The most durable hedge is not a better contract; it's a tool that never sends data to the US in the first place. If the data stays in the EU, the DPF's fate is irrelevant to that vendor relationship. There's no transfer to assess and no framework to monitor.
European alternatives now exist for essentially every marketing category:
- Web analytics: Plausible, Matomo, Fathom, Pirsch
- Email & CRM: Brevo
- Consent management: Cookiebot, Complianz
- Heatmaps & session recording: Mouseflow, Smartlook
- Server-side tagging: Stape
You don't need to rip everything out at once. Start with the tools that hold your most sensitive data and the highest data volumes, your analytics and your customer lists, and work down from there. For a category-by-category walkthrough, see Building a Fully European Marketing Stack in 2026.
The Bottom Line
The EU-US Data Privacy Framework has not been struck down. It cleared its first court test in September 2025 and remains the operative legal basis for certified transatlantic transfers. But "valid today" is not the same as "safe to bet on." With a CJEU appeal pending before the EU's most skeptical court, an oversight board operating without quorum, and the underlying surveillance law being reauthorized in 45-day increments, the prudent assumption is the same one that protected forward-thinking teams in 2020: the framework could change, and your compliance should not depend on it surviving.
The businesses that fared best after Schrems II were the ones that had already reduced their exposure before the ruling landed. The same logic applies now.
FAQ
Is the EU-US Data Privacy Framework still valid in 2026?
Yes. As of mid-2026 the DPF remains valid law. The European Commission's 2023 adequacy decision stands, and the EU General Court upheld it in September 2025. However, an appeal is pending before the CJEU, which has invalidated both predecessor frameworks.
What was the Latombe ruling?
On September 3, 2025, the EU General Court dismissed Philippe Latombe's challenge to the DPF (Case T-553/23), upholding the framework. The decision was appealed to the CJEU in October 2025 and remains pending.
Why does the PCLOB matter for the DPF?
The Privacy and Civil Liberties Oversight Board was one of the safeguards the European Commission cited when finding US protections adequate. After three of its five members were removed in January 2025, it lost quorum and can no longer conduct its required annual surveillance reviews or support the DPF's redress mechanism, weakening one of the framework's pillars.
Should I stop using DPF-certified US tools?
Not necessarily, but don't rely on the DPF as your only transfer mechanism. Keep Standard Contractual Clauses and a Transfer Impact Assessment in place as a fallback, and where practical, migrate high-risk categories to European alternatives that keep data in the EU.
What is "Schrems III"?
It's the informal name for an anticipated future CJEU case that could invalidate the DPF, following the pattern of Schrems I (which ended Safe Harbor) and Schrems II (which ended Privacy Shield). The privacy group noyb has signaled it expects the framework to face such a challenge.
Reducing your dependence on the DPF? Browse verified European alternatives by category, each checked for EU hosting and GDPR status: Best European Marketing Software →
Looking for GDPR-compliant alternatives?
Browse our directory of European marketing tools , all verified for GDPR compliance and EU data hosting.