EU-US Data Privacy Framework (DPF)

Important update 4 March 2025

Today's news of Trump pausing all US military aid to Ukraine shocked many. You can read my reaction here. This is purely my personal view, so take it for what it's worth. But the European Commission's response to Pascal Vautrin's DPF petition is definitely worth noting:

If Trump's actions the past weeks aren't "negative developments", including firing several members of the Privacy and Civil Liberties Oversight Board (PCLOB), I don't know what is.

As the 🇳🇴 DPA advises: we better have an exit strategy in case US transfers become illegal again. And it's worth checking out the 🇩🇰 DPA's cloud audit questionnaire again, and their third-country transfers guidance (only in Danish).

US Cloud soon illegal? Trump punches first hole in EU-US Data Deal

Trump paralysed the “Privacy and Civil Liberties Oversight Board” (PCLOB), a key element of the EU-US data transfer deal that allows EU-US data flows.

noyb.eu

Trump dismantles surveillance watchdog, triggering Europe’s privacy PTSD

The move is the “first big political puncture” in a EU-U.S. pact to allow data to flow freely.

POLITICOEllen O’Regan

Many ask the Norwegian DPA about US transfers – here’s their response. TL;DR: 1) The US adequacy is still valid, but they "expect that sooner or later [it] will be challenged in the CJEU". 2) Their key advice: have an exit strategy in case US transfers become illegal again.

Informasjon om overføringer til USA

Datatilsynet mottar for tiden en del spørsmål om reglene for overføringer av personopplysninger til USA. I denne artikkelen forsøker vi å svare på noen av dem.

Datatilsynet

Microsoft "completes EU Data Boundary, but I'm not sure it'll help, considering the current political landscape.

The LinkedIn article isn't kept up to date, but it has some great diagrams and illustrations shared with our community.

Newest resources - 2024

• July: US DPF website: Key Requirements for DPF Program Participating Organizations
• Sep: iapp article: PCLOB report further divides FISA Section 702 reauthorization talks
• Aug: iapp shares a great infographic of steps for implementing the DPF across multiple European jurisdictions:

10 July 2023: DPF approved!

The European Commission (EC) has now adopted its adequacy decision for the EU-US Data Privacy Framework, concluding that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.

Note that the adequacy is for certified US companies and not the entire country.

❌ Max Schrems have already stated that they (noyb) will challenge the new framework, so keep in mind that the DPF might not survive that CJEU round either. (And, the US is just one territory - we still have to do TIAs and supplementary measures for other third countries...)

Key resources (as of 15 July, more to come):

🇪🇺 From the EU

• 19 July EDPB's press release with link to their DPF information note.
• 10 July Press release: European Commission adopts new adequacy decision for safe and trusted EU-US data flows.
• Download the actual implementing decision here: Adequacy decision for the EU-US Data Privacy Framework.
• 10 July Q&A (web, also see print friendly PDF at the end of the page).
• 10 July Factsheet – EU-US Data Privacy Framework.
• 10 July Press conference with Commissioner Didier Reynders.
• The EC's page on Adequacy decisions.
• The EC's page on the International dimension of data protection: how personal data transferred between the EU and US is protected for both the Commercial sector and Law enforcement cooperation (this page links to many of the links already listed here).

🇺🇸 From the US - and for US-based companies

Like before, US companies can certify for the DPF by committing to comply with a detailed set of privacy obligations published on the certification website (live on 17 July). Note that the DPF currently only applies to US companies.

Those already certified under the Privacy Shield will receive information from their certification partners about next steps, but in short you're expected to update your privacy policy (within three months) and otherwise be able to comply with the DPF principles (which are, by large, the same as before).

🎥 Also check out the LinkedIn event with Caitlin Fennessy (IAPP) and Alex Greenstein (Director DPF, U.S. Department of Commerce): The DPF in practice where they also addressed some key questions.

🇺🇸🇬🇧 On 8 June, the UK and US agreed a "UK Extension" to the DPF, allowing certified US companies to also process UK personal data under the framework. This is contingent on adequacy being granted from both the US and UK governments (expected in not too long). Also note that this is only a "data bridge" and not a stand-alone framework as the Swiss one.

🇺🇸🇨🇭 On July 10, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced "well advanced" discussions with the US and we expect adequacy to be granted once the new Swiss data protection legislation takes effect on 1 September.

Relevant links:

• To certify visit the certification website (live on 17 July).
• 17 July Press release U.S. Departments of Commerce and Justice and the European Commission Reaffirm Shared Values, Welcome Finalized EU-U.S. Data Privacy Framework.
• 10 July Statement from President Joe Biden on EU Adoption of Adequacy Decision for U.S.-EU Data Flows.
• 10 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework.

💜 From noyb & Max Schrems

• 10 July noyb's reaction to the DPF announcement: New Trans-Atlantic Data Privacy Framework largely a copy of "Privacy Shield". noyb will challenge the decision.

Various, including SA press releases and guidance:

• 18 July iapp article A guide to the attorney general’s finding of 'reciprocal' privacy protections in EU ("qualifying states").
• 🇪🇺 The EDPB has so far only tweeted that "In the next few weeks the EDPB will develop an information note for stakeholders on the implications of the DPF".
• 🇳🇴 Datatilsynets spørsmål og svar.
• 🇩🇰 Datatilsynets spørgsmål og svar.
• 🇸🇪 Integritetsskyddsmyndigheten (IMY) has just posted a simple note.

Got other relevant links? Please share with me on LinkedIn!

Archive links 2022-2023

• 🇺🇸 3 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework.
• 🇺🇸 20 June U.S. Department of Justice Memorandum in Support of Designation of the European Union and Iceland, Liechtenstein and Norway as Qualifying States Under Executive Order 14086 (PDF direct link).
• 🇪🇺 25 March Factsheet – Transatlantic Data Privacy Framework.
• 🇺🇸 25 March Fact sheet from the White House: United States and European Commission Announce Trans-Atlantic Data Privacy Framework.
• 💜 13 December noyb's reaction to the Draft adequacy decision: Statement on US Adequacy Decision by the European Commission.
• 🇪🇺 13 December Press release: Commission starts process to adopt adequacy decision for safe data flows with the US.
• 🇪🇺 13 December The actual Draft adequacy decision.
• 🇪🇺 13 December Q&A on the Draft adequacy decision.
• 🇪🇺 7 October Q&A (web, also see handy PDF at the end of the page).
• 🇺🇸 7 October Statement on the Executive Order from the U.S. Secretary of Commerce.
• 🇺🇸 7 October Fact sheet from the White House: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework.
• 💜 7 October noyb's first reaction and summary: Executive Order on US Surveillance unlikely to satisfy EU law.
• 💜 7 October Direct download (PDF) to noyb's structured (very helpful!) version of the Executive Order with bookmarks down to layer 3.