EU–US DPF: CNPD/EDPB cautious, ICO ‘data bridge’ more flexible
The DPF offers a secure lane to certified US recipients in the EU, while the UK ‘data bridge’ further streamlines UK-to-US flows. Outside the DPF, SCC/BCR + TIA remain required per CNPD/EDPB guidance.
Excerpt — 10 July 2023: the EU adopts the EU‑US Data Privacy Framework adequacy decision. The CNPD (April 2025) details its cautious use and TIAs for alternatives; on the UK side, the ICO supports a simpler “data bridge” to the US effective 12 October 2023.
The case
- On 10 July 2023, the European Commission adopted Implementing Decision (EU) 2023/1795 finding the United States adequate for transfers to organisations certified under the Data Privacy Framework (DPF), pursuant to GDPR Article 45. The decision builds on Executive Order 14086 and an independent redress mechanism. See the Official Journal on EUR‑Lex: (EU) 2023/1795 of 10 July 2023 and the Commission’s overview: EU‑US data transfers. For a refresher on the legal bases, consult our GDPR (Articles 45/46) page.
- On 18 April 2025, the CNPD updated its “International data transfers” guidelines, dedicating a section to the DPF, recalling the scope of Article 45 and the alternatives (SCCs, BCRs) under Articles 46/49, with Transfer Impact Assessments required in the absence of adequacy. See the announcement: CNPD, news 18/04/2025 and the PDF document (dated 3/04/2025): guidelines – international transfers.
- In parallel, in the United Kingdom (outside the EU GDPR), the “UK‑US data bridge” — the UK extension to the DPF — took effect on 12 October 2023 under UK GDPR Article 45. Government published an explainer and a factsheet confirming no additional safeguards (UK GDPR Arts. 46/49) are required for certified US recipients. See: Explainer (21/09/2023) and Factsheet (12/10/2023). The ICO provides dedicated pages, including “How does the UK Extension to the EU‑US DPF work?”: ICO – UK Extension.
Key point for Luxembourg stakeholders: the CNPD/EDPB take a cautious stance on the DPF (limited scope, ongoing oversight), while the UK streamlines flows via its “data bridge” and provides reusable government analysis. For hands‑on governance support, see our DPO mandate and governance.
Legal reasoning
- EU legal basis: GDPR Article 45 (adequacy decision). Decision (EU) 2023/1795 finds the US ensures an adequate level of protection for transfers to entities listed on the Department of Commerce “DPF List”; it also provides for suspension if safeguards were undermined (see recitals 126, 176 and review clauses). Source: EUR‑Lex 2023/1795.
- EDPB reading: in “Opinion 5/2023” on the draft adequacy decision, the EDPB “welcomed” improvements but noted persisting concerns (e.g., continuous oversight of intelligence access, importance of redress). This informed national authorities, including the CNPD, to advocate operational vigilance. Source: EDPB, Opinion 5/2023.
- CNPD position (18/04/2025): guidelines reiterate the “two‑track” logic: 1) adequacy (Art. 45), incl. the DPF — applicable only if the US recipient is certified; 2) otherwise, appropriate safeguards (Art. 46) — typically SCCs or BCRs — requiring a Transfer Impact Assessment and supplementary measures, in line with Schrems II (CJEU, 16/07/2020, C‑311/18). Sources: CNPD news and CNPD Guidelines 04/2025.
- UK legal basis: UK GDPR Article 45 (autonomous adequacy regime). The “UK‑US data bridge” (SI “The Data Protection (Adequacy) (United States of America) Regulations 2023”) enables transfers, from 12/10/2023, to US recipients certified to the “UK Extension to the EU‑US DPF” without additional safeguards. DSIT provides supporting materials; the ICO offers explanatory pages and a simplified compliance path. Sources: DSIT – Explainer, Factsheet, and ICO – UK Extension.
What changes in practice
- EU/Luxembourg organisations (GDPR) transferring to the US:
- If your US recipient is DPF‑certified (check the “DPF List”), you may rely on GDPR Article 45 (Decision 2023/1795). Monitor service scope/sub‑processing and certification renewal. For local compliance context, see GDPR Luxembourg and CNPD practices.
- If the recipient is not DPF‑certified (or if sub‑processors include a non‑certified entity), you fall back on Article 46 (SCCs, BCRs) with a TIA and, where needed, additional technical/organisational measures (strong client‑side encryption, minimisation, logging, etc.), per the CNPD/EDPB approach.
- EU–UK groups: a UK entity may leverage the “UK‑US data bridge” where the recipient is certified to the UK Extension, with no extra safeguards, per DSIT and ICO. Note: this UK choice does not cover EU‑origin flows, which must follow the EU GDPR route.
Action point for leadership/DPO/CISO: map US recipients and status (DPF‑certified / not), split EU vs UK flows, and align legal bases (Art. 45 vs 46), TIAs, and controls. Need an experienced partner and a certified DPO? Explore our DPO governance and mandate.
Common pitfalls
- Assuming “DPF = blanket permission” for all US transfers. False: adequacy only covers listed organisations and purposes/services within certification scope. Beyond that, revert to SCCs/BCRs + TIA. Refs: (EU) 2023/1795 and CNPD 18/04/2025.
- Overlooking cascading processors. A DPF‑certified US processor may use a non‑certified sub‑processor: this link requires a distinct legal basis (SCCs/BCRs) and, on the EU side, a TIA and supplementary measures. Ref: CNPD Guidelines (04/2025).
- Mixing up EU and UK regimes. The UK “data bridge” simplifies for UK entities but does not “cover” EU flows. EU controllers must stick to the GDPR and CNPD/EDPB approach. Refs: DSIT Factsheet, ICO – UK Extension.
- Failing to document proportionality of technical measures. Outside the DPF, the EDPB and CNPD expect analysis justifying measures (e.g., end‑to‑end encryption with EU‑controlled keys, attribute minimisation). Refs: EDPB Opinion 5/2023; CNPD Guidelines (04/2025).
- Ignoring the DPF’s dynamic nature. Decision 2023/1795 provides review/suspension mechanisms. Organisations must watch recipient certification validity and any EU/US legal developments. Ref: EUR‑Lex 2023/1795.
Official sources
- European Commission — Implementing Decision (EU) 2023/1795 of 10 July 2023 (GDPR Article 45): EUR‑Lex and “EU‑US data transfers” page.
- EDPB — Opinion 5/2023 on the EU‑US DPF draft adequacy decision: edpb.europa.eu.
- CNPD — News “La CNPD a mis à jour ses lignes directrices…” (18/04/2025) and guidelines (03/04/2025): cnpd.public.lu and PDF.
- United Kingdom — UK‑US Data Bridge (effective 12/10/2023): DSIT Explainer and Factsheet.
- ICO — Pages on adequacy and the UK‑US Data Bridge: ico.org.uk – UK Extension and Adequacy regulations.
In practice (2026): steer “multi‑regime” transatlantic flows: use the DPF where it applies, stay rigorous (SCCs/BCRs + TIA) where it does not, and avoid extrapolating to the UK perimeter. To speak with an expert, contact our team.
Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →