← All articles

consultant

Transfers to the United States: CNPD implements the DPF, EDPB remains cautious

The CNPD confirms “free” transfers to US entities certified under the DPF (Art. 45 GDPR), while the EDPB maintains reservations and calls for ongoing vigilance.

By Expertise Luxgap 08/06/2026

Verifiable fact — On 10 July 2023, the European Commission adopted the EU‑US Data Privacy Framework (DPF) adequacy decision. In 2025, the CNPD updated its guidance and confirmed “free” transfers to certified US entities. The EDPB, however, had expressed substantial concerns.

The case

  • On 10 July 2023, the European Commission adopted adequacy decision (EU) 2023/1795 under Article 45 GDPR for the United States, based on the Data Privacy Framework (DPF). As a result, transfers to US organizations listed on the “DPF List” may rely on Article 45 without Article 46 tools or supplementary measures, subject to the decision’s conditions. See the decision on EUR‑Lex: EU 2023/1795.
  • On 28 February 2023, ahead of the final adoption, the European Data Protection Board (EDPB) issued Opinion 5/2023. It “welcomed” improvements but flagged concerns regarding US authorities’ access to data and some redress mechanisms, calling for continuous monitoring. See the official communication: EDPB – News (28/02/2023).
  • On 23 April 2025, the CNPD updated its international transfers guidance and published a dedicated DPF page. It explicitly states that “as of this date, transfers […] to entities […] listed on the DPF List may rely on the adequacy decision (Art. 45) and be carried out freely, without using Article 46 tools or applying supplementary measures.” See: CNPD – US DPF and CNPD News (04/2025).

Key takeaway: the tone diverges between a national authority (CNPD) that clearly operationalizes adequacy (“free” transfers if on the DPF List) and the EDPB, which calls for reinforced vigilance and highlights gaps.

Legal reasoning

  • GDPR basis. International transfers are governed by Articles 44–49 GDPR. Article 45 allows transfers “without specific authorization” where the Commission finds, by implementing decision, that a third country ensures an adequate level of protection. Decision 2023/1795 relies on new US safeguards, notably the redress mechanism via the Data Protection Review Court and limits/oversight on US intelligence access. Official reference: EUR‑Lex 2023/1795. For a refresher on baseline obligations, see our GDPR page.
  • CNPD position. In its guidance and DPF note, the CNPD follows the GDPR logic:
    1. If the US recipient is on the DPF List: transfers may rely on Article 45, without SCCs/TIA; internal obligations still apply (Art. 28 processor contract where applicable, transparency, Art. 30 records, etc.). See the CNPD page and dedicated PDF. CNPD – DPF; CNPD Guidelines (PDF).
    2. If the US recipient is not certified: revert to Article 46 tools (SCCs, BCRs, etc.) and perform a transfer impact assessment (TIA) with supplementary measures if needed. CNPD – DPF.
  • EDPB position. In Opinion 5/2023, the EDPB acknowledges progress but emphasizes:
    • the need for clarity on “necessity/proportionality” of US authorities’ access,
    • the effectiveness/independence of the redress mechanism,
    • regular monitoring by the Commission and DPAs. It recommends close monitoring and factoring these points into periodic evaluations. See the EDPB communication: EDPB – News.

In short: the CNPD “operates” adequacy to secure Luxembourg organizations’ data flows once a US entity is certified; the EDPB, as the EU interpreter, reminds that adequacy is not a blank check and depends on the continued effectiveness of US safeguards.

What changes in practice

  • For executives, DPOs and CISOs in Luxembourg:
    • If your US provider (SaaS CRM, support, e‑signature, CDN, anti‑fraud, etc.) is on the DPF List, you may rely on Article 45 (adequacy) without SCCs or extra measures. Re‑check certification annually and the scope of Principles covered (controller/processor, HR data, etc.). Basis: Decision (EU) 2023/1795 and CNPD page. EUR‑Lex; CNPD. A structured external DPO mandate can steer governance and annual reviews.
    • If the provider is not DPF‑certified, fallback to Article 46 (SCCs 2021/914, BCRs…) and run a “Schrems II” TIA with, where needed, E2E encryption, pseudonymization/anonymization, or minimization. CNPD guidance: news/guidance.
    • Article 28 GDPR clauses remain mandatory whenever a US provider acts as processor, even if DPF‑certified. The CNPD explicitly reminds this. CNPD – DPF.
    • By contrast, the EDPB calls for substantive vigilance: follow the Commission’s periodic reviews and US developments. In a hypothetical future annulment, keep a contractual “Plan B” (ready SCCs, up‑to‑date TIA). EDPB – News.

Concrete examples in Luxembourg (May–June 2026):

  • Migrating a helpdesk to a DPF‑certified US vendor: legal basis = contract performance (Art. 6(1)(b)) or legitimate interests (6(1)(f)) as applicable; transfer = Art. 45 DPF; Article 28 DPA; updated notices (Arts. 13/14) reflecting the third country and the mechanism (DPF adequacy).
  • Using a US AI engine not DPF‑certified to categorize tickets: switch to SCCs + TIA, minimize data, prefer EU training, consider client‑side encryption.

Common pitfalls

  1. “DPF = no processor contract”. False. The DPF applies to the transfer layer (Article 45), not to processing. If the US recipient processes “on behalf of,” an Article 28 DPA remains mandatory (purpose, security, assistance, sub‑processing, audits). The CNPD stresses this. CNPD – DPF.
  2. Not checking the DPF certification scope. Some US entities are certified “HR data only” or for limited functional scopes. The adequacy decision refers to the DPF List as the reference. Verify status and concrete commitments. EUR‑Lex 2023/1795.
  3. Forgetting reversibility if certification lapses. Delisting from the DPF List removes adequacy benefits. Anticipate an automatic switch to SCCs + TIA in contracts and inform your customers. EUR‑Lex.
  4. Mixing up the “DPF” and the “UK‑US Data Bridge”. For LU→US flows, only the EU adequacy (2023/1795) applies. The “UK Extension to the EU‑US DPF” concerns transfers under the UK GDPR (ICO). Not the same legal basis. See ICO guidance for scoping. ICO – Adequacy regs.
  5. Assuming adequacy removes transparency duties. Your privacy notices must still identify third countries, the transfer basis (here: DPF adequacy), and rights/redress (Arts. 13 and 14 GDPR). The EDPB stresses clarity and effective redress. EDPB – News.

Official sources

  • European Commission — EU‑US DPF adequacy decision (10/07/2023), full text on EUR‑Lex: CELEX:32023D1795.
  • EDPB — “EDPB welcomes improvements under the EU‑U.S. Data Privacy Framework, but concerns remain” (28/02/2023): edpb.europa.eu.
  • CNPD Luxembourg — Thematic dossier “Transfers to the United States” (updated 2025): cnpd.public.lu and news “The CNPD has updated its guidelines on international transfers of personal data” (04/2025): cnpd.public.lu.
  • European Commission — “EU‑US data transfers” file: commission.europa.eu (institutional overview).
  • ICO (to distinguish the UK extension of the DPF): ico.org.uk.

Practical conclusion: in Luxembourg, the CNPD enables operational use of the DPF to streamline flows to certified US entities (Article 45 GDPR). Given the EDPB’s policy and technical safeguards, leaders should keep a “Plan B” (SCCs + TIA ready) and monitor adequacy reviews. For hands‑on support with implementation and transfer audits, reach out to our team.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

expertise reglementaire rgpd cnpd edpb dpf transferts-internationaux
LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →