The Department of Commerce launched the Data Privacy Framework (DPF) program website today, enabling eligible U.S. companies to self-certify their participation in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), facilitating cross-border transfers of personal data in compliance with EU law.
To participate, companies must self-certify and publicly commit to comply with the EU-U.S. DPF Principles, which are enforceable under U.S. law. They can also self-certify their compliance with the UK Extension to the EU-U.S. DPF and/or the Swiss-U.S. DPF Principles, which will enable personal data transfers from those jurisdictions after they complete their legal processes and deem such transfers to have adequate protection. Eligible companies can now sign up for the EU-U.S. DPF at www.dataprivacyframework.gov.
Companies that participate in the EU-U.S. Privacy Shield may begin relying immediately on the EU-U.S. DPF to receive personal data transfers from the European Union/European Economic Area but will need to self-certify to the EU-U.S. DPF by October 10. Companies can sign up for mechanisms to receive personal data from the United Kingdom and Switzerland beginning today. However, they may not rely on these mechanisms to receive personal data until the anticipated recognition by the UK Government and the Swiss Government of the adequacy of those mechanisms enter into force. Organizations interested in self-certifying should review the DPF program requirements, which are available, along with other guidance materials, on the DPF program website.
The DPF program website comes after years of collaboration and negotiation to reestablish a mechanism for transfers of EU personal data to the United States after the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework was invalidated by the Court of Justice of the EU (CJEU) in 2020 due to concerns regarding U.S. signals intelligence.
In October 2022, President Biden issued Executive Order (EO) 14086 to bolster privacy and civil liberties safeguards with regard to U.S. signals intelligence. EO 14086 provides stronger safeguards and creates a new redress mechanism, fully addressing the concerns raised by the CJEU in 2020.
On July 10, 2023, the EU adopted an adequacy decision for the EU-U.S. DPF after determining that the additional safeguards included in EO 14086 and the EU-U.S. DPF provide an adequate level of protection for personal data transferred from the European Union. The adequacy decision allows the EU-U.S. DPF to facilitate the transfer of data from Europe to the United States, benefiting companies and individuals on both sides of the Atlantic.
Comments
No comments on this item Please log in to comment by clicking here