Sign in Subscribe

What does the new EU–US Data Privacy Framework (DPF) FAQ mean for EU–US businesses?

After earlier data transfer frameworks were struck down, many organizations were left unsure about how to lawfully transfer data outside the EU. The DPF, together with this updated FAQ, helps remove much of that uncertainty.

On 15 January 2026, the European Data Protection Board (EDPB) released an updated version (Version 2.0) of its FAQ for European businesses on the EU-U.S. Data Privacy Framework (DPF). This update is important for organizations in the European Economic Area (EEA) that send personal data to the United States under the DPF.

Why is the EU-U.S. Data Privacy Framework significant?

European organizations that send personal data outside the EU/EEA must ensure these transfers comply with GDPR requirements. Under GDPR Chapter V, data can be transferred to other countries only if there is an adequacy decision, standard contractual clauses (SCCs), binding corporate rules, or other approved safeguards in place.

The EU-U.S. Data Privacy Framework is one such adequacy mechanism, adopted by the European Commission in 2023, which allows personal data to flow freely between the EU/EEA and the United States as long as the required conditions are met.

The DPF replaces earlier frameworks like the Privacy Shield, which were struck down by the Court of Justice of the European Union (CJEU). Because the DPF has an adequacy decision, companies certified under it can receive personal data from the EU without adding extra transfer safeguards—as long as they follow the Framework’s principles and continue to comply with the GDPR.

The EDPB plays an important role in explaining how the DPF should be understood and applied in real business situations. One way it does this is through its FAQ for European businesses, which was first issued in July 2024 and has now been updated with Version 2.0.

EDPB FAQ for European Businesses

The EDPB’s FAQ for European businesses is a practical guide that explains how organizations can use the DPF to transfer personal data. It is meant to answer common, real-life questions and help organizations understand:

  • When and how the DPF can be used to legally transfer personal data
  • What checks European organizations should do before trusting a U.S. company’s DPF certification
  • Using the DPF does not replace other GDPR duties; organizations must still keep records, remain accountable for compliance, and clearly define controller and processor roles.
  • How to include DPF rules in privacy policies, contracts, and day-to-day compliance processes

The first version of the FAQ was published when the DPF started. After gaining more practical experience, the EDPB released Version 2.0 with clearer explanations, more examples, and more practical guidance that reflects how regulators now expect organizations to apply the DPF in practice.

When Was Version 2.0 Adopted?

Version 2.0 of the EDPB’s FAQ for European businesses was adopted on 15 January 2026. This reflects the EDPB’s effort to keep its guidance on the DPF up to date as more organizations begin using the framework in real-world business settings across different sectors.

At the same time, the EDPB updated other related guidance, including the FAQ for European individuals and additional documents that explain how the DPF should be applied and enforced.

What has changed in Version 2.0 of the FAQ?

The updated FAQ explains more clearly how the DPF works in real life. It focuses on practical issues that businesses face when transferring data.

a. Clearer guidance on using the DPF

Version 2.0 explains how European businesses should check whether a U.S. company’s DPF certification is valid and suitable for their data transfer. Businesses are expected to confirm that:

  • The certification is active
  • It covers the right types of personal data
  • It matches the purpose of the data transfer.

Simply relying on a U.S. company’s self-certification is not enough; it must be checked carefully.

b. Strong focus on GDPR compliance

The FAQ clearly states that using the DPF does not remove GDPR responsibilities. European organizations must still follow core GDPR principles such as:

  • lawfulness and transparency
  • collecting only necessary data
  • using data only for specific purposes
  • being able to show compliance.

In short, the DPF must be part of an organization’s overall GDPR compliance program, not a one-time checkbox.

c. Practical guidance on how to put the rules into action

Version 2.0 gives practical advice, including:

  • Ways to record and document data transfer assessments
  • Ways to update contracts and data processing agreements when relying on the DPF
  • Ways to determine when extra safeguards like encryption or audits may be useful, and
  • Ways to regularly check that a U.S. company’s DPF certification is still valid.

d. Using the DPF alongside other data transfer tools

The FAQ also clarifies that in certain situations, organizations may need to use the DPF along with other transfer tools such as Standard Contractual Clauses (SCCs). This is particularly important when data is sent beyond the U.S. or when parts of the data transfer fall outside the scope of the DPF.

Why This Update Matters for European Businesses

Version 2.0 of the FAQ is more than just an update to a guidance document. It has real, practical importance for how European businesses manage compliance, risk, and daily operations.

After earlier data transfer frameworks were struck down, many organizations were left unsure about how to lawfully transfer data outside the EU. The DPF, together with this updated FAQ, helps remove much of that uncertainty. It clearly explains when and how the DPF can be used, what is expected from businesses, and where the limits are.

With clearer guidance and fewer uncertainties, organizations can use DPF-based transfers more confidently and reduce the risk of regulatory scrutiny or enforcement action.

b. A practical compliance guide

The updated FAQ works like a step-by-step guide for organizations that:

  • regularly transfer data to the U.S.,
  • depend on U.S.-based service providers such as cloud platforms, SaaS tools, HR systems, or marketing and analytics vendors, and
  • need to show regulators that they take accountability and documentation seriously.

Instead of staying at a theoretical level, the guidance helps businesses turn GDPR requirements into practical, everyday processes.

c. Alignment with regulatory expectations

EU data protection authorities are paying closer attention to how compliance is actually implemented in practice. Version 2.0 reflects what regulators expect to see: proper transfer risk assessments, ongoing checks of DPF certifications, and clear documentation of decisions.

Organizations that follow this guidance closely will be in a stronger position during audits or investigations and are less likely to face fines or corrective actions.

Key steps businesses should take

European organizations that transfer data to the U.S. using the DPF should take some practical next steps. They should review and update their data protection programs, including transfer records, contracts with vendors, risk assessments, and GDPR documentation. Legal, privacy, and compliance teams should be trained on the updated FAQ so they know how to apply it to existing contracts and data transfers.

Organizations should also regularly check that their U.S. partners are still certified under the DPF and that the transferred data is covered by that certification. Finally, businesses should remember that the DPF does not replace GDPR duties, so overall GDPR compliance must continue.

Conclusion

The EDPB’s adoption of Version 2.0 of the EU–U.S. Data Privacy Framework FAQ on 15 January 2026 shows that the DPF is becoming more stable and practical as a data transfer solution. The revised guidance brings greater clarity, sets clearer compliance expectations, and helps organizations apply GDPR requirements in a more practical way when using the DPF. For European businesses that rely on cross-border data transfers, this update offers a clearer, more practical path to maintaining compliance while supporting uninterrupted business operations in a connected digital world.

Version 2.0 of the EDPB’s FAQ says that the EU–U.S. Data Privacy Framework can be used for sending data to the U.S., but only if European businesses regularly check it, keep records, and monitor compliance. It is not something they can use once and then forget about.

Key Takeaway

  1. The DPF can be safely used for EU–U.S. data transfers.
  2. Responsibility stays with European businesses to verify U.S. certification, scope, and ongoing compliance.
  3. The GDPR still fully applies; DPF simplifies transfers but does not reduce accountability.
  4. Regulators now expect strong documentation and continuous oversight, not just legal reliance on the framework.
  5. Using the Data Privacy Framework does not remove GDPR duties — European businesses are still fully responsible for protecting personal data and must follow all GDPR rules.

Subscribe to Data Privacy Education

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe