On July 10, 2023, the European Commission adopted an adequacy decision for the new EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the successor to the EU-U.S. Privacy Shield, which the Court of Justice of the European Union deemed invalid on July 16, 2020. The U.S. Department of Commerce (“DoC”) is charged with administering and monitoring the EU-U.S. DPF program.

On July 17, 2023, the DoC International Trade Administration launched its EU-U.S. DPF website. Companies are now able to review the key requirements for participating organizations, including how to join the program and how to recertify.

How to Join or Recertify

If your company would like to participate in the EU-U.S. DPF and is not actively certified under the EU-U.S. Privacy Shield, you will have to self-certify via the DPF website. The DoC has provided a guide to self-certification, and further information in preparation for the process can be found in the DPF website’s FAQs. 

If your company is currently actively certified under the EU-U.S. Privacy Shield, you may begin to rely on the EU-U.S. DPF if you believe your company to be compliant. However, you will still need to update your privacy policy as soon as possible but no later than October 10, 2023. Requirements for compliant privacy policies can be found in the DPF website FAQs. An organization’s privacy policy must align with the DPF principles, specifically including each element of the notice principle, setting forth items about which a company must provide transparency to data subjects. The DoC also provides some sample language for a company to use when it represents that it is participating in the EU-U.S. DPF.

The UK and Switzerland

Parties certifying via the DPF website may also certify under the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) and the UK Extension to the EU-U.S. DPF (“UK Extension”). However, as of the time of this client alert, neither framework may be relied on for data transfers.

On June 8, 2023, the UK and the U.S. agreed to establish a “data bridge”; but the UK has yet to recognize U.S. data protection, or the protection to be provided under the UK Extension, as adequate. Until such a determination, companies may not rely on the UK Extension for data transfers from the UK to the U.S. However, the U.S. government expects that the UK government will find the program adequate at some point in the future.

Likewise, while the Swiss-U.S. DPF principles are effective as of July 17, 2023, companies cannot rely on the Swiss-U.S. DPF for data transfers until Switzerland’s adoption of an adequacy decision.

Key Aspects of the EU-U.S. DPF

Principles. Like its predecessor, the EU-U.S. DPF is based on a system of certification by which U.S. organizations commit to a set of core principles, in this case the EU-U.S. Data Privacy Framework Principles. The principles include notice; choice; accountability for onward transfers; security; data integrity and purpose limitation; access; and recourse, enforcement and liability. The principles apply immediately upon self-certification. 

Eligibility. To be eligible for certification under the EU-U.S. DPF, an organization must be subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”) or the U.S. Department of Transportation (“DoT”).

DoC compliance monitoring. In accordance with the European Commission’s adequacy decision, the DoC may carry out “spot checks” of randomly selected organizations or specific organizations when potential compliance issues are identified (e.g., reported to the DoC by third parties) to verify whether (i) point(s) of contact for handling complaints and data subject requests are available and responsive; (ii) the organization’s privacy policy is readily available, both on its website and via a hyperlink on the DoC’s website; (iii) the organization’s privacy policy complies with the certification requirements; and (iv) the organization’s chosen independent dispute resolution mechanism is available to handle complaints.

In addition, the DoC will carry out cross-checks with the FTC and DoT to verify that the organizations are subject to the oversight body identified in their certification submissions. The DoC will also work with alternative dispute resolution bodies to verify that the organizations are registered for the independent recourse mechanism identified in their certification submission.

Publication. The DoC will maintain and make available to the public the Data Privacy Framework List (the “List”) of organizations that have certified their adherence to the principles. The List will be updated on the basis of an organization’s annual recertification submission and also when an organization is removed. The European Commission’s adequacy decision requires the DoC to make available to the public a record of organizations removed from the List, along with the reason for removal.