Transatlantic Transfers of Personal Data: Transferring a Privacy Shield Certification to the New EU-U.S. Data Privacy Framework

Jackson Lewis P.C.


Effective July 10, 2023, the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) replaced the invalidated EU-U.S. Privacy Shield framework (“Privacy Shield”). Participating U.S. organizations can now receive personal data transferred from the European Economic Area in compliance with the EU General Data Protection Regulation and without being subject to further conditions.

Similar to the Privacy Shield, the program is administered by the U.S. Department of Commerce, and U.S. organizations must certify to participate. The EU-U.S. DPF framework requires submitting an application and a privacy policy conforming to the EU-U.S. DPF Principles, certifying adherence to the EU-U.S. DPF Principles, and identifying an independent recourse mechanism. U.S. organizations who wish to certify to the DPF but did not maintain an active Privacy Shield certification, or have never certified, may begin the EU-U.S. DPF certification process immediately.

U.S. organizations that maintained their certification to the Privacy Shield framework may transfer that certification by no later than October 10, 2023. The EU-U.S. DPF does not create new substantive obligations for U.S. organizations that participated in the Privacy Shield framework; however, they must update their privacy policy and notices to reference the EU-U.S. DPF and its Principles.

Under the EU-U.S. DPF, additional safeguards will apply to transfers of human resources data collected in the employment context. For example, the U.S. “data importer” must certify annually its commitment to cooperate with EU Data Protection Authorities (“DPAs”) regarding HR data. Cooperation includes responding directly to DPA investigations and complying with DPA advice.

Upon certifying compliance with the EU-U.S. DPF, a U.S. organization may elect to certify adherence to the U.K. Extension to the EU-U.S. DPF in order to receive personal data transferred from the U.K. beginning October 12, 2023. To receive personal data transferred from Switzerland, U.S. organizations may certify their compliance with the Swiss-U.S. DPF; however, transfers of personal data from Switzerland cannot commence until Switzerland formally issues an adequacy decision for the U.S.

The EU-U.S. DPF, U.K. Extension, and Swiss-U.S. DPF present an alternative to the EU Standard Contractual Clauses, International Data Transfer Agreement, and Binding Corporate Rules for transatlantic transfers of personal data in compliance with applicable data protection law. Depending on the organization and the contemplated data transfer, certifying annually to a DPF may be more practical, time-efficient, and economical than executing EU Standard Contractual Clauses or an IDTA for each contemplated transfer activity.

For more insights on the EU-U.S. DPF listen to our podcast: The EU-US Data Privacy Framework: Transferring Personal Data Under the New Privacy Shield

Skip to content

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide