Key resources: EU-US Data Privacy Framework

Here's your OSS for all things DPF! Updates are done mainly on this page. (Have I missed a great resource? Share below or in DM.)

???? US-based company? Read more below under the heading Important Privacy Shield Program Update and make sure you watch the LinkedIn Live recording for more practical information.

?? And sign up for The Curated DPO newsletter to get access to further resources.

Newest resources

• July: US DPF website: Key Requirements for DPF Program Participating Organizations
• 9 Aug: iapp shares a great infographic of steps for implementing the DPF across multiple European jurisdictions (thanks to Joe Jones and Cobun Zweifel-Keegan, J.D., CIPP/US, CIPM ??):

10 July 2023: EU-US DPF approved!

The European Commission (EC) has now adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), concluding that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.

Like before, US companies can certify for the DPF by committing to comply with a detailed set of privacy obligations at https://www.dataprivacyframework.gov/s/ (goes live 17 July).

? Max Schrems have already stated that they ( noyb.eu ) will challenge the new framework, so keep in mind that the DPF might not survive that CJEU round either...

?? And, the US is just one territory - we still have to do TIAs and supplementary measures for other third countries... like Theodor Sachs Leschly pointed out in his post:

Now, we only have India ????, China ????, Ukraine ????, Pakistan ????, Singapore ????, South Africa ????, Brazil ????, Congo ????, Turk… [etc., etc.] …Azerbaijan ????, and Australia ???? to consider.

Key resources (as of 10 July, updates will be posted on this page):

???? From the EU

• 19 July EDPB's press release with link to their DPF information note.
• 10 July Press release: European Commission adopts new adequacy decision for safe and trusted EU-US data flows.
• Download the actual implementing decision here: Adequacy decision for the EU-US Data Privacy Framework.
• 10 July Q&A (web, also see print friendly PDF at the end of the page).
• 10 July Factsheet – EU-US Data Privacy Framework.
• ?? Also see the press conference where the?DPF was announced by Commissioner Didier Reynders (where he also responds to questions about Max Schrems' statements on challenging the new framework in the CJEU - again)
• The EC's page on Adequacy decisions.
• The EC's page on the International dimension of data protection: how personal data transferred between the EU and US is protected for both the Commercial sector and Law enforcement cooperation (this page links to many of the links already listed here).

???? From the US

• 17 July Press release U.S. Departments of Commerce and Justice and the European Commission Reaffirm Shared Values, Welcome Finalized EU-U.S. Data Privacy Framework.
• 10 July Statement from President Joe Biden on EU Adoption of Adequacy Decision for U.S.-EU Data Flows.
• 10 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework

?? From noyb & Max Schrems

• 10 July noyb's reaction to the DPF announcement: New Trans-Atlantic Data Privacy Framework largely a copy of "Privacy Shield". noyb will challenge the decision.

Press releases and (some) guidance from the SAs:

• ???? The European Data Protection Board has so far only tweeted that "In the next few weeks the EDPB will develop an information note for stakeholders on the implications of the DPF".
• ???? Datatilsynet sp?rsm?l og svar.
• ???? Datatilsynet sp?rgsm?l og svar.
• ???? Integritetsskyddsmyndigheten (IMY) has just posted a simple note.

Other various useful resources:

18 July iapp article A guide to the attorney general’s finding of 'reciprocal' privacy protections in EU ("qualifying states") by Peter Swire .

Odia Kagan 's nice writeup and overview: The US Adequacy Decision Deep Dive You Didn’t Know you Needed.

Then Tim Clements has made a catching visual timeline:

Andrey Prozorov has also made a fine mindmap:

Got other relevant links? Please share with me in the comments.

???? Important Privacy Shield Program Update for US-based businesses & relevant LinkedIn Live event

• ?? First? make sure you attend the LinkedIn Live The EU-U.S. Data Privacy Framework in practice with Caitlin Fennessy , IAPP & Alex Greenstein , U.S. Department of Commerce.
• Also see the post shared by Phil Lee (reshared in full below with permission) - a precise summary of an important Privacy Shield Program update from the US International Trade Administration:
• ?? If you are currently self-certified under the EU-US Privacy Shield, you can *automatically* transition to and rely on the EU-US DPF for your US transfers provided you update your privacy policy and otherwise comply with the DPF principles etc. (and must withdraw your certification if not).
• ?? From 17 July, organisations will also be able to certify to the UK "extension" to the EU-US DPF (but can't start making UK-US transfers under the DPF until the UK adopts its own DPF adequacy regulations - though expect this to be imminent). Notably, organisations can ONLY participate in the UK extension if they are also EU-US DPF certified.
• ?? Also from 17 July, the Swiss-US DPF will go into effect. Again, there will be automatic transition for those that were previously Swiss-US Privacy Shield certified. As with the UK, you can't start making Swiss-US transfers under the DPF though until Switzerland grants the DPF adequacy recognition - though expect this to be imminent).
• ?? The official DPF website will go live on 17 July - enabling self-certifications to begin from that date, and providing all associated docs (e.g. Principles, guidance etc.)

Archive links 2022-2023

• ???? 3 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework.
• ???? 25 March Factsheet – Transatlantic Data Privacy Framework.
• ???? 25 March Fact sheet from the White House: United States and European Commission Announce Trans-Atlantic Data Privacy Framework.
• ?? 13 December noyb's reaction to the Draft adequacy decision: Statement on US Adequacy Decision by the European Commission.
• ???? 13 December Press release: Commission starts process to adopt adequacy decision for safe data flows with the US.
• ???? 13 December The actual Draft adequacy decision.
• ???? 13 December Q&A on the Draft adequacy decision.
• ???? 7 October Q&A (web, also see handy PDF at the end of the page).
• ???? 7 October Statement on the Executive Order from the U.S. Secretary of Commerce.
• ???? 7 October Fact sheet from the White House: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework.
• ?? 7 October noyb's first reaction and summary: Executive Order on US Surveillance unlikely to satisfy EU law.
• ?? 7 October Direct download (PDF) to noyb's structured (very helpful!) version of the Executive Order with bookmarks down to layer 3.