On Monday, July 17, 2023, the Department of Commerce launched a new website at https://www.dataprivacyframework.gov/s/ (“DPF Website”) providing more information about the new Data Privacy Framework covering EU, Swiss, and UK data transfers to the United States (collectively, the “DPF” or “Framework”) and a self-certification portal for the Framework. The Framework is intended as an alternative to transfer mechanisms like the Standard Contractual Clauses. Current Privacy Shield participants are already certified under the EU and Swiss Frameworks, and organizations that want to participate can certify on the DPF Website.
Framework Overview
The EU-U.S. DPF went into effect on July 10, 2023, when the European Commission adopted an adequacy decision for the Framework (for background, see our blog post here). This Framework replaces the EU-U.S. Privacy Shield and requires organizations to comply with a set of principles that are nearly identical to the EU-U.S. Privacy Shield Principles. Active EU-U.S. Privacy Shield participants automatically become participants in the EU-U.S. DPF. The EU-U.S. DPF is a full-fledged, standalone transfer mechanism that can be used instead of the Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) to transfer personal data to the U.S. from the European Economic Area (consisting of the EU member states plus Iceland, Liechtenstein, and Norway).
Active Swiss-U.S. Privacy Shield participants automatically become participants in the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), and organizations that want to participate can certify on the DPF Website. However, the Swiss-U.S. DPF will not fully enter into effect until Switzerland adopts an adequacy decision for the Framework, so participants need to rely on SCCs or BCRs until then.
The UK Extension to the EU-U.S. DPF (“UK Extension”) is substantively identical to the EU-U.S. DPF. Organizations that wish to participate in the UK Extension must be certified under the EU-U.S. DPF, and it appears that they must separately certify under the UK Extension. Organizations can certify now, but they cannot rely on the UK Extension as a standalone transfer mechanism until the UK adopts an adequacy decision.
The full text of the Frameworks and supporting letters from various government agencies are available on the DPF Website under the “About” menu.
How to Participate
Current Privacy Shield Participants: Current active EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield participants are automatically certified under the EU-U.S. DPF and Swiss-U.S. DPF, respectively. These organizations are listed on the Data Privacy Framework List. Participants should ensure that the descriptions accompanying their listings on the DPF Website are up to date and they update their privacy policies by October 10, 2023 as required by the DPF.
New Participants: Organizations wishing to certify in the DPF for the first time (including those who have withdrawn from Privacy Shield participation) can access the “Self-Certify” page of the DPF Website. Certification requirements are essentially the same as under Privacy Shield.
Recertification: DPF participants must recertify on their previously scheduled Privacy Shield recertification date.