The Data Privacy Framework (DPF) is based, on the one hand, on an adequacy decision (EU 2023/1795) adopted by the European Commission under Article 45 of the GDPR and, on the other hand, on a US presidential decree (Executive Order 14086).
American companies must self-certify with the Department of Commerce and commit to complying with a set of data protection principles similar to those of the GDPR.
Politically, the DPF represents a compromise between economic interests and digital sovereignty. However, these American guarantees are based on presidential decrees, which makes them easily revocable by a change in the American presidency.
It responds to the criticisms made by the Court of Justice of the European Union in the Schrems II judgment by strengthening the framework governing US authorities' access to personal data and establishing an effective right of appeal for European citizens.
| THE PILLARS | CLARIFICATION |
|---|---|
| Notification | The company must inform the individuals concerned about the data collected, the purposes of the processing, how to contact the organisation, and their rights. |
| Choice | Individuals must be able to object to certain processing operations or to the transfer of their data to third parties, particularly for different purposes. |
| Subsequent transfer | Data may only be transferred to third parties if they offer an equivalent level of protection and are contractually bound to do so. |
| Security | The company must implement appropriate security measures to protect personal data against unauthorised access or use. |
| Data integrity and purpose limitation | Data must be accurate, relevant and used only for the purposes for which it was collected, except for legitimate archiving, research or public interest purposes. |
| Access principle | Individuals must be able to access their data and correct, modify or delete it if it is inaccurate or processed in violation of the principles. |
| Principle of recourse, application and liability | The company must provide an accessible appeal mechanism and submit to checks and sanctions in the event of non-compliance with the principles. |
In practice, the DPF facilitates the transfer of personal data to the United States, providing legal stability for economic actors. However, it does not block the application of the Cloud Act, which can require providers subject to US law to provide access to data, even when that data is hosted in Europe. This situation highlights the importance of using sovereign cloud solutions that are fully hosted in the European Union.
In his appeal of 31 October 2025 before the CJEU, Philippe Latombe challenges the Court's judgment of 3 September 2025 on four main grounds: he criticises the Court for errors of law and assessment concerning the independence and legality of the Data Protection Review Court (DPRC), the bulk collection of data without prior authorisation in accordance with Schrems II, the rejection of the 2020 and 2024 judgments on generalised data retention, and the power of the US President to secretly update the collection objectives under Executive Order 14086.