What Changed in the EDPB’s EU-U.S. DPF Guidance, and Why It Matters for Businesses

As transatlantic data flows continue to underpin global operations and companies continue to navigate compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the European Data Protection Board (EDPB) last month updated its guidance for European Businesses. This guidance, the EU-US DPF FAQ for European Businesses, was first released in July 2024, and provided foundational guidance for European companies assessing whether and how they could rely on the EU-U.S. DPF for transfers to the United States.  

With this January 2026 update, the EDPB has refined and expanded its guidance to address operational questions and strengthen clarity around transfers of HR data and verification of U.S. organizations’ certifications before transferring data. 

Below, we break down the key differences between the 2024 and 2026 versions of the guidance and explain why these updates are especially important for companies relying on the EU-U.S. DPF to manage cross-border data transfers. 
 

1. Expanded Guidance on HR Data Transfers 

One of the most significant updates is the strengthened guidance around HR Data. 

The 2026 version requires that when an EEA data exporter transfers HR Data to a U.S. company certified to the EU-U.S. DPF in the U.S., it must confirm either that: 
  • The U.S. company holds an active DPF certification that specifically covers HR Data, or 
  • The company’s certification covers other data types and its privacy policy includes a commitment to cooperate and comply with the advice of the EU Data Protection Authorities (EU DPAs) concerning such data.  

The 2026 version also clarifies that EEA exporters must inform the U.S. recipient that the transfer includes HR Data. Additionally, it emphasizes that the U.S. Department of Commerce and the European Commission are preparing further guidance on HR Data, which would provide more clarity for the U.S. companies that are certifying for the EU-U.S. DPF.  

For European companies, the processing of HR Data is subject to the national laws of the applicable EU member state, and any restrictions or conditions around the transfer of that data are expected to be upheld. The 2026 update can help companies better manage the compliance obligations associated with employee-related data and signals that regulators are expecting a higher level of due diligence and transparency around the handling of employee data. 
 

2. Revised Instructions for Verifying DPF Certifications 

Both versions of the guidance direct European companies to the DPF List maintained by the U.S. Department of Commerce, but the 2026 update provides additional clarity and procedural detail. 

Key differences:
  • The 2024 guidance instructs companies to confirm that a U.S. recipient is actively certified and that its certification covers the relevant data types. 
  • The 2026 guidance expands this by clarifying that the DPF List includes a detailed register of both active and removed participants and emphasizes that EEA exporters cannot rely on the DPF for transfers to companies without an active certification.  
  • The 2026 guidance also reiterates that companies removed from the DPF List must still apply the DPF Principles to previously collected data for as long as they retain it.  

These updates reflect the EDPB’s push for heightened accountability and traceability. Exporters cannot rely on outdated certification assumptions. Instead, organizations must incorporate ongoing verification checks into their privacy governance workflows, particularly when onboarding or renewing U.S. vendors. 
 

3. Reorganization and Clarification of Key Sections 

The 2026 version reorganizes content for improved readability, adds explanatory footnotes, and refines terminology (e.g., clarifying the interchangeable use of “organisations” and “companies”). While these changes may appear editorial, they help to reduce misinterpretations of the guidance, especially for enterprises adopting the EU-U.S. DPF for the first time. 
 

4. Continued Emphasis on GDPR Obligations Beyond the EU-U.S. DPF 
Both versions clarify that relying on the EU-U.S. DPF only addresses the data transfer requirements of the EU’s General Data Protection Regulation (GDPR)—all other GDPR obligations remain unchanged.  

In particular, the 2026 guidance continues to highlight additional requirements associated with: 
  • Article 5 on the principles of processing personal data 
  • Article 6 on the lawfulness of processing personal data 
  • Articles 13-14 on information that must be provided to data subject 
  • Article 28 on working with processors 
  • Articles 32-36 on certain data processing obligations 

For companies that are subject to the GDPR and may mistakenly assume that adequacy under the EU-U.S. DPF replaces other GDPR obligations, the 2026 version reiterates that DPF participation does not diminish their GDPR responsibilities and reinforces the need for holistic privacy management. 
 

What These Changes Mean for Businesses  

Viewed collectively, the updates introduced in January 2026 strengthen compliance expectations for companies relying on the EU-U.S. DPF. In practice, businesses should: 
  • Implement regular DPF certification checks for U.S. partners. 
  • Conduct enhanced due diligence for HR Data transfers, including verifying certification scope and privacy policy commitments. 
  • Ensure that data processors are making commitments to comply with their applicable GDPR responsibilities. 
  • Understand the distinction between DPF participation and broader GDPR obligations. 

Prepare for future regulatory updates, particularly regarding HR Data from U.S. officials. 

With regulators on both sides of the Atlantic closely monitoring transatlantic transfers, these changes help companies reduce compliance risk and maintain trusted data flows. Questions? Contact us at globalprivacy@bbbnp.org.