U.S. companies can self-certify their compliance with the EU-U.S. Data Privacy Framework Principles to participate in the cross-border transfers of personal data.
The U.S. Department of Commerce launched the Data Privacy Framework (DPF) program website today, enabling eligible U.S. companies to self-certify their participation in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), facilitating cross-border transfers of personal data in compliance with EU law.
With trans-Atlantic data flows estimated to underpin more than $1 trillion in trade and investment annually, the EU-U.S. DPF provides a necessary mechanism to support economic opportunity for U.S. businesses of all sizes across all sectors of the economy. The DPF program is particularly valuable for small- and medium-sized enterprises that can now access an affordable and streamlined mechanism for personal data transfers from the European Economic Area (comprised of EU countries along with Iceland, Liechtenstein and Norway). Data flows between the United States and Europe more than anywhere else in the world, enabling the $7.1 trillion U.S.-EU economic relationship.
To participate, companies must self-certify and publicly commit to comply with the EU-U.S. DPF Principles, which are enforceable under U.S. law. They can also self-certify their compliance with the UK Extension to the EU-U.S. DPF and/or the Swiss-U.S. DPF Principles, which will enable personal data transfers from those jurisdictions after they complete their legal processes and deem such transfers to have adequate protection. Eligible companies can now sign up for the EU-U.S. DPF at www.dataprivacyframework.gov.
Companies that participate in the EU-U.S. Privacy Shield may begin relying immediately on the EU-U.S. DPF to receive personal data transfers from the European Union/European Economic Area but will need to self-certify to the EU-U.S. DPF by October 10. Companies can sign up for mechanisms to receive personal data from the United Kingdom and Switzerland beginning today. However, they may not rely on these mechanisms to receive personal data until the anticipated recognition by the UK Government and the Swiss Government of the adequacy of those mechanisms enter into force. Organizations interested in self-certifying should review the DPF program requirements, which are available, along with other guidance materials, on the DPF program website.
The DPF program website comes after years of collaboration and negotiation to reestablish a mechanism for transfers of EU personal data to the United States after the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework was invalidated by the Court of Justice of the EU (CJEU) in 2020 due to concerns regarding U.S. signals intelligence.
In October 2022, President Biden issued Executive Order (EO) 14086 to bolster privacy and civil liberties safeguards with regard to U.S. signals intelligence. EO 14086 provides stronger safeguards and creates a new redress mechanism, fully addressing the concerns raised by the CJEU in 2020.
On July 10, 2023, the EU adopted an adequacy decision for the EU-U.S. DPF after determining that the additional safeguards included in EO 14086 and the EU-U.S. DPF provide an adequate level of protection for personal data transferred from the European Union. The adequacy decision allows the EU-U.S. DPF to facilitate the transfer of data from Europe to the United States, benefiting companies and individuals on both sides of the Atlantic.