Effective July 10, 2023, the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) replaced the invalidated EU-U.S. Privacy Shield framework (“Privacy Shield”). Participating U.S. organizations can now receive personal data transferred from the European Economic Area in compliance with the EU General Data Protection Regulation and without being subject to further conditions.
Under the EU-U.S. DPF, additional safeguards will apply to transfers of human resources data collected in the employment context. For example, the U.S. “data importer” must certify annually its commitment to cooperate with EU Data Protection Authorities (“DPAs”) regarding HR data. Cooperation includes responding directly to DPA investigations and complying with DPA advice.
Upon certifying compliance with the EU-U.S. DPF, a U.S. organization may elect to certify adherence to the U.K. Extension to the EU-U.S. DPF in order to receive personal data transferred from the U.K. beginning October 12, 2023. To receive personal data transferred from Switzerland, U.S. organizations may certify their compliance with the Swiss-U.S. DPF; however, transfers of personal data from Switzerland cannot commence until Switzerland formally issues an adequacy decision for the U.S.
The EU-U.S. DPF, U.K. Extension, and Swiss-U.S. DPF present an alternative to the EU Standard Contractual Clauses, International Data Transfer Agreement, and Binding Corporate Rules for transatlantic transfers of personal data in compliance with applicable data protection law. Depending on the organization and the contemplated data transfer, certifying annually to a DPF may be more practical, time-efficient, and economical than executing EU Standard Contractual Clauses or an IDTA for each contemplated transfer activity.