EU-US Data Privacy Framework (DPF)

πŸ“š Your OSS for the EU-U.S. Data Privacy Framework!

a year ago   •   4 min read

By Rie Aleksandra Walle

Bookmark this page to keep up with everything DPF! Please suggest new resources on the LinkedIn article (where you can also see some nice diagrams/illustrations shared to our community).

And sign up for The Curated DPO newsletter to get access to further resources

Newest resources

Created by Joe Jones and Cobun Zweifel-Keegan πŸ‘

10 July 2023: DPF approved!

The European Commission (EC) has now adopted its adequacy decision for the EU-US Data Privacy Framework, concluding that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.

Note that the adequacy is for certified US companies and not the entire country.

❌ Max Schrems have already stated that they (noyb) will challenge the new framework, so keep in mind that the DPF might not survive that CJEU round either. (And, the US is just one territory - we still have to do TIAs and supplementary measures for other third countries...)

Key resources (as of 15 July, more to come):

πŸ‡ͺπŸ‡Ί From the EU

πŸ‡ΊπŸ‡Έ From the US - and for US-based companies

Like before, US companies can certify for the DPF by committing to comply with a detailed set of privacy obligations published on the certification website (live on 17 July). Note that the DPF currently only applies to US companies.

Those already certified under the Privacy Shield will receive information from their certification partners about next steps, but in short you're expected to update your privacy policy (within three months) and otherwise be able to comply with the DPF principles (which are, by large, the same as before).

πŸŽ₯ Also check out the LinkedIn event with Caitlin Fennessy (IAPP) and Alex Greenstein (Director DPF, U.S. Department of Commerce): The DPF in practice where they also addressed some key questions.

πŸ‡ΊπŸ‡ΈπŸ‡¬πŸ‡§ On 8 June, the UK and US agreed a "UK Extension" to the DPF, allowing certified US companies to also process UK personal data under the framework. This is contingent on adequacy being granted from both the US and UK governments (expected in not too long). Also note that this is only a "data bridge" and not a stand-alone framework as the Swiss one.

πŸ‡ΊπŸ‡ΈπŸ‡¨πŸ‡­ On July 10, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced "well advanced" discussions with the US and we expect adequacy to be granted once the new Swiss data protection legislation takes effect on 1 September.

NB! You can apply to certify for the DPF, the UK data bridge and the Swiss framework on 17 July, but you can't rely on the latter two for UK and/or Swiss transfers until adequacies have been granted.

Relevant links:

  • To certify visit the certification website (live on 17 July).
  • 17 July Press release U.S. Departments of Commerce and Justice and the European Commission Reaffirm Shared Values, Welcome Finalized EU-U.S. Data Privacy Framework.
  • 10 July Statement from President Joe Biden on EU Adoption of Adequacy Decision for U.S.-EU Data Flows.
  • 10 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework.

πŸ’œ From noyb & Max Schrems

  • 10 July noyb's reaction to the DPF announcement: New Trans-Atlantic Data Privacy Framework largely a copy of "Privacy Shield". noyb will challenge the decision.

Various, including SA press releases and guidance:

  • 18 July iapp article A guide to the attorney general’s finding of 'reciprocal' privacy protections in EU ("qualifying states").
  • πŸ‡ͺπŸ‡Ί The EDPB has so far only tweeted that "In the next few weeks the EDPB will develop an information note for stakeholders on the implications of the DPF".
  • πŸ‡³πŸ‡΄ Datatilsynets spΓΈrsmΓ₯l og svar.
  • πŸ‡©πŸ‡° Datatilsynets spΓΈrgsmΓ₯l og svar.
  • πŸ‡ΈπŸ‡ͺ Integritetsskyddsmyndigheten (IMY) has just posted a simple note.

Got other relevant links? Please share with me on LinkedIn!

  • πŸ‡ΊπŸ‡Έ 3 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework.
  • πŸ‡ΊπŸ‡Έ 20 June U.S. Department of Justice Memorandum in Support of Designation of the European Union and Iceland, Liechtenstein and Norway as Qualifying States Under Executive Order 14086 (PDF direct link).
  • πŸ‡ͺπŸ‡Ί 25 March Factsheet – Transatlantic Data Privacy Framework.
  • πŸ‡ΊπŸ‡Έ 25 March Fact sheet from the White House: United States and European Commission Announce Trans-Atlantic Data Privacy Framework.
  • πŸ’œ 13 December noyb's reaction to the Draft adequacy decision: Statement on US Adequacy Decision by the European Commission.
  • πŸ‡ͺπŸ‡Ί 13 December Press release: Commission starts process to adopt adequacy decision for safe data flows with the US.
  • πŸ‡ͺπŸ‡Ί 13 December The actual Draft adequacy decision.
  • πŸ‡ͺπŸ‡Ί 13 December Q&A on the Draft adequacy decision.
  • πŸ‡ͺπŸ‡Ί 7 October Q&A (web, also see handy PDF at the end of the page).
  • πŸ‡ΊπŸ‡Έ 7 October Statement on the Executive Order from the U.S. Secretary of Commerce.
  • πŸ‡ΊπŸ‡Έ 7 October Fact sheet from the White House: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework.
  • πŸ’œ 7 October noyb's first reaction and summary: Executive Order on US Surveillance unlikely to satisfy EU law.
  • πŸ’œ 7 October Direct download (PDF) to noyb's structured (very helpful!) version of the Executive Order with bookmarks down to layer 3.

Spread the word

Keep reading