EU‑US data transfers after Schrems II and the DPF: CNPD expectations 2026

What’s at stake: securing your transatlantic data flows without over‑compliance. Since the July 10, 2023 adequacy decision, the Data Privacy Framework (DPF) changes the picture, but not everywhere and not forever.

The general rule

• Legal basis for transfers: GDPR Articles 44 to 49. Three main avenues: 1) adequacy decision (Art. 45), 2) appropriate safeguards (Art. 46, e.g., Standard Contractual Clauses — SCCs), 3) derogations (Art. 49) to be used exceptionally. See the consolidated text on EUR‑Lex. EUR‑Lex, GDPR.
• On July 10, 2023, the Commission adopted an adequacy decision for the United States limited to organizations listed on the “Data Privacy Framework List.” For such certified recipients, transfers can rely on Art. 45, without SCCs or additional measures. Decision (EU) 2023/1795.
• Context: the “Schrems II” judgment (CJEU, July 16, 2020, C‑311/18) invalidated Privacy Shield and strengthened the “essentially equivalent” standard, while confirming the validity of SCCs subject to an assessment of third‑country laws. Judgment C‑311/18.

What the regulators say

• CNPD (Luxembourg) position. The CNPD confirms that, since the adequacy decision, transfers to US entities listed on the DPF List may rely on Art. 45 and be carried out “freely,” without resorting to Art. 46 or additional measures, provided their presence on the official list is verified. It points to the DPF site managed by the US Department of Commerce and reminds controllers of GDPR information obligations. CNPD – DPF USA.
• CNPD – international transfer guidelines (2025 update). The CNPD details the hierarchy of mechanisms: priority to Art. 45 (adequacy), then Art. 46 (SCCs, BCRs…), and clarifies the specific DPF case. CNPD – Transfer guidelines.
• EDPB (European Board). Following adoption of the DPF, the EDPB issued an operational information note (redress, scope, oversight) and stresses that outside the DPF, Recommendations 01/2020 on “supplementary measures” remain applicable for Art. 46. EDPB – Info note DPF, EDPB – Recommendations 01/2020.

How to apply it in practice

Example: a Luxembourg group (head office in Luxembourg, EU subsidiaries) uses a US provider for email and analytics, and hosts certain logs with a US subprocesser.

Step 1 — Map data flows

• Build the record (Art. 30 GDPR) listing all US recipients (vendors/processors, remote support, backups, L2/L3 escalations, admin access). For each flow, record: intended transfer basis (Art. 45 or 46), purpose, data categories, frequency, storage/access countries. GDPR Art. 30.

Step 2 — Check DPF eligibility

• For each recipient, check its status on the “Data Privacy Framework List” (US DoC). If “Active” and the scope covers your processing (e.g., HR, customer), you may switch to Art. 45. Keep evidence (date, scope, exact legal entity). DPF – official site.
• Beware of onward transfers: contractually require any sub‑processor to be DPF‑certified or to apply another valid mechanism. Decision (EU) 2023/1795.

Step 3 — Update information and documentation

• Privacy notices: state the transfer basis (Art. 45) and link to the DPF List and redress mechanisms. Update relevant DPIA records if risks change. CNPD – DPF USA.

Step 4 — When the DPF does not apply

• If the US organization is not DPF‑certified (or your use falls outside its declared scope), revert to Art. 46 (2021 SCCs) with a third‑country assessment (TIA) and implement “supplementary measures” as needed (strong encryption with exporter‑exclusive key control, pseudonymization, dataset segmentation, etc.). EDPB – Recommendations 01/2020.
• Document the “Schrems II” analysis: purposes, categories, potential access by US authorities, contractual safeguards, feasibility of technical measures. Judgment C‑311/18.

Step 5 — Governance and ongoing monitoring

• Set up a quarterly review of your vendors’ DPF status (delistings/renewals) and an alert trigger in case of loss of certification to switch to SCCs + supplementary measures. CNPD – DPF USA, EDPB – Info note DPF.

Common pitfalls

1. Assuming “DPF = the US in general.” False: only the entity appearing on the DPF List, and only for its declared fields (commercial/HR), benefits from Art. 45. Other recipients require an Art. 46 basis and, where needed, supplementary measures. Decision (EU) 2023/1795.
2. Forgetting remote access. US technical support connecting to EU systems is a transfer. Map such access and, if the provider is DPF‑certified, tie the access to its certification; otherwise, SCCs + assessment. EDPB – Recommendations 01/2020.
3. Not updating data subject information. Your notices must indicate the mechanism (Art. 45 DPF or Art. 46 SCCs), the right to redress, and useful links (DPF List, redress mechanism). CNPD – DPF USA.
4. Falling back on Art. 49 for convenience. Derogations (e.g., explicit consent, necessity for a contract) are strictly limited and not intended for recurring transfers. Prioritize Arts. 45/46. GDPR Art. 49 on EUR‑Lex.
5. Ignoring “onward transfer.” The DPF recipient must govern its sub‑processors and onward transfers; verify and contract the chain, notably for analytics and multi‑tier cloud services. Decision (EU) 2023/1795.

Official sources

• European Commission – US adequacy decision (EU‑US DPF), July 10, 2023 (GDPR Art. 45): https://eur-lex.europa.eu/eli/dec_impl/2023/1795
• CNPD Luxembourg – Data transfers to the United States (DPF): https://cnpd.public.lu/en/dossiers-thematiques/transferts-internationaux-donnees-personnelles/transferts-usa.html
• CNPD Luxembourg – “International transfers” guidelines (2025 update): https://cnpd.public.lu/en/actualites/national/2025/04/ld-transferts-internationaux.html
• EDPB – Information note on data transfers to the US after the adequacy decision: https://www.edpb.europa.eu/our-work-tools/our-documents/other-guidance/information-note-data-transfers-under-gdpr-united-0_en
• EDPB – Recommendations 01/2020 on supplementary measures (final version June 18, 2021): https://www.edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en
• CJEU – “Schrems II” judgment (C‑311/18, July 16, 2020): https://eur-lex.europa.eu/legal-content/EN/CASE/?uri=CELEX%3A62018CJ0311
• FTC/US DoC – Business information on the Data Privacy Framework (link to the DPF List): https://www.ftc.gov/business-guidance/privacy-security/data-privacy-framework

2026 watchpoints: as of May 4, 2026, the adequacy decision remains in force; still, maintain regulatory watch (EDPB/CNPD) and prepare a fallback plan (SCCs + supplementary measures) if the context changes. Focus efforts on vendor governance (DPF status), clear data subject information, and robust evidence in your records and DPIAs.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.