This past week, the General Court of the European Union dismissed challenges against the European Commission’s adequacy decision for the EU–US Data Privacy Framework (DPF). In plain terms, this means the Court agreed that recent U.S. reforms—like limits on surveillance and a new review court for complaints—offer protections for EU citizens’ data that are strong enough to be considered “essentially equivalent” to EU standards.

For now, companies can keep sending data to the U.S. under the DPF instead of relying only on Standard Contractual Clauses (SCCs).

But there’s a catch.

The Court made clear that adequacy will only hold if the U.S. continues to honor its promises. If surveillance expands again, or if the new Data Protection Review Court (DPRC) loses its independence, the European Commission is required to suspend or even cancel the framework. In short, the green light is on, but it could turn red at any moment.

That risk is real. The rules supporting the DPF in the U.S. depend on executive orders and laws that could be changed by a future administration or Congress.

Advocacy groups have already promised to challenge the DPF in Europe’s highest court, just as they did with Safe Harbor in 2015 and Privacy Shield in 2020.

Both of those frameworks collapsed overnight, leaving thousands of businesses scrambling to fix contracts and keep data flowing legally. If history repeats itself, the DPF could be next.

This is why Information Governance (IG) matters.

IG is about putting in place the policies, records, and controls that make businesses resilient even if the legal framework changes.

One of the most important of these practices is dual-track transfer governance. Even if you use the DPF, you should also keep other legal safeguards in place—like SCCs or Binding Corporate Rules (BCRs)—that can be activated quickly if adequacy disappears. Think of it as carrying a spare tire: you may not need it now, but when you do, it saves you from being stranded.

Another critical practice is data mapping and classification. Not all data is equal. Health records, financial information, and HR files are more sensitive and attract more scrutiny. Companies need clear records of what data is transferred, why, and under what authority. That way, if regulators ask questions, they can point to specific evidence.

IG also strengthens contracts with vendors. Agreements should include commitments to follow EU-level protections, give audit rights, and allow termination if adequacy is lost. Without this, businesses risk being locked into noncompliant service relationships.

Finally, IG supports ongoing monitoring. The Commission is keeping watch, but companies can’t just sit back. They need to follow regulatory updates, have clear escalation procedures, and document oversight at the management level. That way, if adequacy is challenged, they can show regulators they were alert and prepared.

The push for resilience is part of a bigger trend. According to a 2024 Gartner survey, 63% of organizations worldwide have already implemented a zero-trust strategy. Zero-trust means never assuming access is safe—always verifying, always limiting, always logging. Applied to international data transfers, zero-trust reinforces IG by minimizing data exposure, encrypting before transfer, and keeping track of every access point.

The takeaway is simple: the DPF gives businesses breathing room.

It is not a permanent shield.

Adequacy is both conditional and potentially tenuous. Governance is what makes it durable.

Without it, companies risk being caught in another costly and high-risk cycle of last-minute scrambling.

With it, they can turn today’s fragile certainty into long-term resilience.