The EU-U.S. Data Privacy Framework

The EU-U.S. Data Privacy Framework (DPF) is a legal agreement about managing the privacy of individuals’ personal data if it is transferred across the international borders of participating countries. It reflects an adequacy decision between the European Union (EU), European Economic Area (EEA) and the United States. This means that the European Commission and the US government have both agreed that the other takes adequate measures to limit and protect residents’ personal data that is transferred internationally, if participating US companies are certified under the DPF.

The DPF also outlines data subjects’ rights, responsibilities and requirements for certified companies, redress mechanisms for complaints, and requirements and restrictions on US intelligence services.

Adequacy decision from the European Commission (EN PDF, 2.75MB)

US Data Privacy Framework website

Adequacy decisions are outlined and in some cases required by the General Data Protection Regulation (GDPR) and other laws. Necessary data protection measures for the countries involved are written out and data transfer, surveillance, and protection operations of the participating countries are mutually investigated to ensure they meet data protection standards. This helps ensure and enable the transfer of data to “third countries” with reasonable guarantees of security and protection.

The EU-U.S. Data Privacy Framework is the new and current adequacy agreement between the EU and US, which went into effect on July 10, 2023. A review of the agreement is scheduled for one year after going into effect, to verify that all required elements have been put in place and are effective in practice.

Once the review has taken place, the European Data Protection Board (EDPB) and EU member states will determine the frequency of future reviews, though such reviews will have to take place at least every four years and the EDPB will be involved.

The previous adequacy agreement between the two regions was called the Privacy Shield. It was in effect between July 2016 and July 2020. It was struck down by a court ruling by the European Court of Justice in a case known as Schrems II after Austrian lawyer and privacy activist Max Schrems who initiated the complaint. The grounds were that the Privacy Shield did not adequately protect EU citizens from government surveillance.

There are seven core principles to the DPF:

Notice: To inform data subjects whose data is processed, notifications are required by most data privacy laws. Data subjects must be informed about what data is collected, transferred, or shared, and with which parties for what purposes. Information about their data privacy rights and exercising them are also usually required. This information is generally included in a company’s privacy notice or on a privacy policy web page.

Choice: Individuals whose data is affected by the DPF must be offered choices for processing of their data, including opting out of sharing with third parties, use of data for purposes not initially consented to, if the data is categorized as sensitive, etc. Prior consent requirements apply, as with the GDPR.

Accountability for onward transfers: Participating organizations must comply with certain procedures and impose certain contractual terms if data is transferred to a third party.

Security: “Reasonable and appropriate” measures must be taken to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction.

Data integrity and purpose limitation: Personal data may only be used and retained for the purpose(s) for which it was collected and for which the organization has data subjects’ consent. Organizations must also take reasonable steps to ensure personal data it holds is kept updated and accurate.

Access: Participating countries must allow data subjects to access their personal data and request correction or deletion of it (if inaccurate or processed in a way that violates the DPF), with some exceptions.

Recourse, enforcement and liability: Participating companies must implement robust recourse mechanisms in cooperation with authorities to address complaints and claims under a two-tier system with the DPF.

The DPF provides several new rights to residents of participating countries if their data is or would be transferred to a third country, typically by companies that collected the data.

• Right to obtain access to their data
• Right to have their data corrected
• Right to have their data deleted (if it’s incorrect or was unlawfully handled)
• Right to redress if data is wrongly handled (including free dispute resolution and arbitration)

Safeguards in place to protect the personal data of Europeans include:

• Enhanced oversight of US intelligence services to ensure compliance with surveillance limitations
• Access limitations to data by US intelligence authorities to be proportionate to protecting national security
• Establishment of an independent redress mechanism, including a Data Protection Review Court, to investigate and resolve complaints by EU residents about data access by US national security authorities

• Secure flow of data among participating countries
• Reliance on SCCs no longer required for data transfer
• Streamlined legal processes for checking documentation, certifications, and required safeguards and security measures for working with US companies
• Protection of Europeans’ personal data transferred to the US, addressing European Court of Justice requirements
• Limitations on surveillance by US national security authorities
• Robust legal basis for data transfers
• Economic benefits, as there is already € 900 billion in annual cross-border commerce

For European companies, international data transfers to US companies that are on the DPF list will be streamlined, as they have been certified and determined to have adequate data protection operations in place. The companies involved will not have to work through arrangements with SCCs and/or other mechanisms to ensure data privacy.

European data subjects also have clearer and stronger options for complaints and getting them addressed if they suspect their data has been mishandled by a US company/companies. The redress mechanisms are available regardless of the manner of data transfer, if the US company involved is on the DPF list.

Companies based in the EU, EEA, and US can participate, though DPF participation would only be relevant if they transfer personal data collected to the United States, or plan to do so. Transfers of data to other third countries would require separate adequacy agreements or comparable measures.

Participation in the DPF requires companies to get certified by governing bodies. The process involves submission of self-certification, and participation is voluntary.

US companies that do not want to self-certify can use other data transfer mechanisms, such as standard contractual clauses (SCC), with EU partners, to enable an international flow of data.

American companies can certify their participation in the EU-U.S. Data Privacy Framework if they commit to compliance with the specified set of data privacy obligations. Common data privacy principles (included in the GDPR and other laws) involve:

• purpose limitation
• data minimization
• data retention
• data sharing with third parties
• data security

US companies were able to begin submitting initial self-certification submissions to the Data Privacy Framework website as of July 17, 2023.

Companies that self-certified under the Privacy Shield do not need to re-certify under the DPF. Their participation will be automatic, but they must update their privacy policies accordingly and their certification will be reviewed annually. The European Data Protection Board (EDPB) will also be involved in reviews.

If a US company self-certified under the Privacy Shield but does not want to participate in the Data Privacy Framework, they must formally withdraw per the International Trade Administration’s withdrawal process.

In the United States the International Trade Administration (ITA) within the Department of Commerce (DOC) will be the DPF’s administrators. They will be responsible for processing certification applications and monitoring certified companies to determine if they continue to meet certification requirements.

Compliance of US companies with the DPF will be enforced by the Federal Trade Commission (FTC). Companies are also subject to the Department of Transportation’s (DOT) investigative and enforcement powers.

The government of the United Kingdom is working on its own separate agreement with the United States, which would be an extension of the Data Privacy Framework. The International Trade Association has stated that self-certified American companies may also self-certify compliance with the UK extension once in place and formally approved.

The Swiss-U.S. Data Privacy Framework came into effect on July 17, 2023, and companies can begin the self-certification process as of that date. US companies that self-certify with that Framework must comply with the Swiss-US DPF, which includes a requirement to update privacy policies by October 17, 2023.

There is no change needed at this time for Usercentrics and its customers with regards to the DPF.

Learn more about implementing transatlantic transfers from IAPP

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.