Data Privacy Framework Overview

OVERVIEW

The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were respectively developed in furtherance of transatlantic commerce by the U.S. Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

The effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 10, 2023, which is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.

Effective as of July 17, 2023, eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-U.S. DPF may do so; however, personal data cannot be received from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF before the date that the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. The data bridge will enable the transfer of UK and Gibraltar personal data to participating organizations consistent with UK law.

The effective date of the Swiss-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 17, 2023; however, personal data cannot be received from Switzerland in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. The recognition of adequacy will enable the transfer of Swiss personal data to participating organizations consistent with Swiss law.

The Data Privacy Framework (DPF) program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables eligible U.S.-based organizations to self-certify their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. To participate in the DPF program, a U.S.-based organization is required to self-certify to the ITA via the Department’s Data Privacy Framework (DPF) program website (i.e., https://www.dataprivacyframework.gov/) and publicly commit to comply with the DPF Principles. While the decision by an eligible U.S.-based organization to self-certify its compliance pursuant to and participate in the relevant part(s) of the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles that commitment is enforceable under U.S. law.

Organizations that only wish to self-certify their compliance pursuant to the EU-U.S. DPF and/or the Swiss-U.S. DPF may do so; however, organizations that wish to participate in the UK Extension to the EU-U.S. DPF must participate in the EU-U.S. DPF. Such organizations’ commitment to comply with the EU-U.S. DPF Principles with regard to transfers of personal data from the European Union and, as applicable, the United Kingdom (and Gibraltar), and/or the Swiss-U.S. DPF Principles with regard to transfers from Switzerland must be reflected in their self-certification submissions to the ITA, and at appropriate times in their relevant privacy policies. Organizations that self-certified their compliance pursuant to the EU-U.S. Privacy Shield that wish to enjoy the benefits of participating in the EU-U.S. DPF must comply with the EU-U.S. DPF Principles; and organizations that self-certified their compliance pursuant to the Swiss-U.S. Privacy Shield that wish to enjoy the benefits of participating in the Swiss-U.S. DPF must comply with the Swiss-U.S. DPF Principles.

To rely on the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF for transfers of personal data from the European Union and, as applicable, the United Kingdom (and Gibraltar), and/or Switzerland an organization must not only self-certify its adherence to the DPF Principles to the ITA, but also both be placed and remain on the Data Privacy Framework List. The ITA will update the Data Privacy Framework List on the basis of annual re-certification submissions made by participating organizations and by removing organizations when they voluntarily withdraw, fail to complete the annual re-certification in accordance with the ITA’s procedures, or are found to persistently fail to comply. The ITA will also maintain and make available to the public an authoritative record of U.S. organizations that have been removed from the Data Privacy Framework List and will identify the reason each organization was removed. The aforementioned authoritative list and record will remain available to the public on the Department’s DPF program website. Any organization removed from the Data Privacy Framework List must cease making claims that it participates in or complies with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and that it may receive personal information pursuant to same. Such an organization must nevertheless continue to apply the DPF Principles to personal information that it received while it participated in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF for as long as it retains such personal information.

 Resources

All organizations interested in self-certifying their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF should review the requirements in their entirety. To assist in that effort, the ITA’s DPF team has compiled resources and addressed frequently asked questions below.