IAPP Global Summit 2026: On the state of the trans-Atlantic data transfer agreement

According to the top U.S. official overseeing the EU-U.S. Data Privacy Framework, the U.S.-EU alliance is a USD9.8 trillion economic relationship, which is underpinned by how frictionless businesses can transfer data across the Atlantic Ocean. 

Speaking at the IAPP Global Summit 2026 in Washington, D.C., U.S. Department of Commerce's International Trade Administration Data Privacy Framework Director Alex Greenstein and European Commission Acting Head of Unit for Rule of Law and Equality, International Affairs and Data Flows Louisa Klingvall offered their respective takes on the current state of the framework. 

"You have a 9.8 trillion-dollar trans-Atlantic economic relationship and a lot of that does depend on the ability to transfer data," Greenstein said. "So, there is a strong economic case for why (the DPF) matters to companies in the United States." He added that U.S. digital service exports to the EU alone was valued at USD358 billion in 2024. 

US government sees 'uptick' in companies joining DPF

Greenstein said the DPF has become a useful data transfer vehicle for smaller organizations conducting business in the EU due to its relatively low cost of entry compared to other transfer mechanisms, like entering standard contractual clauses or binding corporate rules after the Privacy Shield was invalidated by the Court of Justice of the European Union in 2020. 

"Certainly, large companies have a variety of transfer mechanisms available under the (EU) General Data Protection Regulation. Chief among them are standard contractual clauses," Greenstein said. "The DPF is relatively easily applied, and it is readily scalable. It really does provide a particularly valuable proposition for small and medium enterprises that are looking to step out internationally."

According to the Department of Commerce, annual fees to participate in the EU-U.S. DPF range between USD260 to USD5,530, depending on a business's annual revenue. For organizations also participating in both the Swiss-U.S. Data Privacy Framework as well as the EU-U.S. DPF, annual fees range between USD390 and USD8,295. 

Greenstein said as of 6 March, more than 3,500 U.S. companies have signed onto the DPF. He said 62% of those companies are small and medium-sized enterprises, and 47% of total organizations participating in the DPF have fewer than 100 employees. 

The invalidation of the Privacy Shield also coincided with a growth period for a lot of U.S. companies conducting business in the EU, which were then forced to agree to a host of SCCs. While Greenstein said there has been a recent "uptick" in companies signing onto the DPF, companies with sufficient resources are opting to keep their SSCs in place and also sign onto the DPF to provide themselves with a second layer of legal protection.

"A decent number of companies are taking something of a belt-and-braces approach where they are using standard contractual clauses as their primary method of compliance," he said. "(They may see the DPF) as a gap-filler to cover things that they don't have 100% visibility on their contractual arrangements or need that additional assurance."

How the Department of Commerce supports the DPF

Greenstein also discussed the Department of Commerce's role in administering the DPF, which includes supporting companies that commit to the DPF principles and providing assistance for constructing their privacy notices to remain compliant. The department also conducts enforcement actions through spot checks to ensure companies comply with their public commitments.  

"When we have negatively available information, we send out questionnaires to the company asking them how (their actions) comport with their commitments under the DPF, and that if there are some things that can't be remedied, we'll refer those to the traditional federal enforcers," Greenstein said. "By and large, companies would want to work proactively so they do not need to go down the route of having an enforcement action brought against them."

The EU side

European Commission representative Klingvall recounted the first review of the DPF in 2024, a year after it entered into force. She said the review primarily focused how the organizational measures U.S. government institutions tasked with running the administrative sections of the DPF put in place. She also said the Commission placed an emphasis on soliciting input from industry and civil society on their experiences negotiating the new framework. 

"In this first review, we really looked at having institutional and organizational structures in place because it was only one year after establishing the system," Klingvall said. "It's very important to hear from the voices that are using the systems and look out for those concerns, and so it was a very thorough exercise. We checked the functioning of the commercial aspects in relation to the system, but also the possible use and transfer of data to U.S. public authorities."

Klingvall said the Commission's second review of the DPF will take place in 2027. That inquiry will probe the extent to which the U.S. government has implemented the Commission's recommendations from the first review, including how agencies like the Department of Commerce and Federal Trade Commission, tasked with monitoring compliance, are deploying technical solutions for enforcement.   

"Having gained a couple of years, the next review is likely to look more on the enforcement side and how things are looking in practice," Klingvall said. "This formal review is only one of the points of discussions that we have. We are in regular contact at a technical level with Alex and his team."

Update on first DPF redress cases 

The DPF's establishment of its redress mechanism for EU citizens via the U.S. Data Protection Review Court is a key reason why the Commission originally granted its adequacy decision to the DPF and why it has remained more resilient than its predecessor transfer frameworks.

At the conclusion of the session, Greenstein was asked by an attendee about the status of the two qualified complaints lodged by EU citizens under the DPF. 

While Greenstein said he could not discuss the material substance of the either complaint, he confirmed one complaint had been reviewed by the Office of the Director of National Intelligence's Privacy and Civil Liberties Officer; the other complaint is still pending review. 

"These were cases that were found to meet the criteria established under the redress mechanism," Greenstein said. "Those were received and processed according to the rules established by how the redress mechanism is supposed to function."