Effective July 10, 2023, the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) replaced the invalidated EU-U.S. Privacy Shield framework (“Privacy Shield”). Participating U.S. organizations can now receive personal data transferred from the European Economic Area in compliance with the EU General Data Protection Regulation and without being subject to further conditions.  

Similar to the Privacy Shield, the program is administered by the U.S. Department of Commerce, and U.S. organizations must certify to participate. The EU-U.S. DPF framework requires submitting an application and a privacy policy conforming to the EU-U.S. DPF Principles, certifying adherence to the EU-U.S. DPF Principles, and identifying an independent recourse mechanism. U.S. organizations who wish to certify to the DPF but did not maintain an active Privacy Shield certification, or have never certified, may begin the EU-U.S. DPF certification process immediately.

U.S. organizations that maintained their certification to the Privacy Shield framework may transfer that certification by no later than October 10, 2023. The EU-U.S. DPF does not create new substantive obligations for U.S. organizations that participated in the Privacy Shield framework; however, they must update their privacy policy and notices to reference the EU-U.S. DPF and its Principles.

Under the EU-U.S. DPF, additional safeguards will apply to transfers of human resources data collected in the employment context. For example, the U.S. “data importer” must certify annually its commitment to cooperate with EU Data Protection Authorities (“DPAs”) regarding HR data. Cooperation includes responding directly to DPA investigations and complying with DPA advice.

Upon certifying compliance with the EU-U.S. DPF, a U.S. organization may elect to certify adherence to the U.K. Extension to the EU-U.S. DPF in order to receive personal data transferred from the U.K. beginning October 12, 2023. To receive personal data transferred from Switzerland, U.S. organizations may certify their compliance with the Swiss-U.S. DPF; however, transfers of personal data from Switzerland cannot commence until Switzerland formally issues an adequacy decision for the U.S.

The EU-U.S. DPF, U.K. Extension, and Swiss-U.S. DPF present an alternative to the EU Standard Contractual Clauses, International Data Transfer Agreement, and Binding Corporate Rules for transatlantic transfers of personal data in compliance with applicable data protection law. Depending on the organization and the contemplated data transfer, certifying annually to a DPF may be more practical, time-efficient, and economical than executing EU Standard Contractual Clauses or an IDTA for each contemplated transfer activity.