On July 10, 2023, the EU Commission approved the EU-U.S. Data Privacy Framework (“EU-US DPF”) as a valid transfer mechanism for sharing personal data from European Economic Area countries (those in the EU plus Iceland, Liechtenstein and Norway) to the United States. The UK and Switzerland are also anticipated to adopt localized rules extending the EU-US DPF to those jurisdictions.
Companies with an active certification under the EU-US Privacy Shield Framework either need to prepare to comply with the EU-US DPF or withdraw from the program in accordance with the International Trade Association’s (ITA) procedures. To transition from the EU-US Privacy Shield Framework to the EU-US DPF, prepare to update your privacy policy to refer to your commitment to comply with the “EU-U.S. Data Privacy Framework Principles” before October 10, 2023, and ensure your organization is prepared to comply with the EU-US DPF Principles. The EU-US DPF Principles will be available on the ITA’s Data Privacy Framework website when it launches on July 17. In the meantime, companies can reference the Privacy Shield Principles (which are substantially similar) or the EU-US DPF Principles which are outlined in the EU Commission’s adequacy decision, approving the EU-US DPF. Your company will also need to complete annual recertifications; your recertification date will remain the same as the one for your Privacy Shield re-certification deadline.
The UK has signaled intent to adopt its extension to the EU-US DPF but have not (as of this article) completed all necessary approvals.
The Swiss-US DPF will enter into effect on July 17, 2023. Companies with an active certification under the Swiss-US Privacy Shield Framework either need to prepare to comply with the Swiss-US DPF or withdraw from the program in accordance with the ITA’s procedures. To transition from the Swiss-US Privacy Shield Framework to the Swiss-US DPF, prepare to update your privacy policy to refer to your commitment to comply with the “Swiss-U.S. Data Privacy Framework Principles” before October 17, 2023, and ensure your organization is prepared to comply with the Swiss-US DPF Principles. Organizations may not begin relying on the Swiss-US DPF to receive personal data from Switzerland until the Swiss Federal Administration’s anticipated recognition of adequacy and that enters into force.
Eligible organizations wishing to make their initial self-certification under the new frameworks (including those with inactive certifications under EU-US Privacy Shield) can do so beginning on July 17, 2023, by visiting the ITA’s Data Privacy Framework website at www.dataprivacyframework.gov.
We continue to monitor for the latest updates and are available to support your company in connection with lawful data transfers under the EU-US DPF and the UK Extension, and Swiss-US DPF or other approved data transfer mechanisms.