Companies May Begin Submitting EU-U.S. Data Privacy Framework Certifications

As of July 17, 2023, the Data Privacy Framework website and certification mechanism is fully functional and organizations that are approved under the EU-U.S. Data Privacy Framework (Framework) may begin taking advantage of the Framework for cross-border data transfers to Europe (with the exception of the United Kingdom and Switzerland). The Framework imposes different requirements depending on whether a company is a new participant or if a company is re-certifying because it continued to adhere to the Privacy Shield Principles during the past three years. Each are addressed in more detail below.

Organizations may certify to (1) the Framework, (2) the Framework with the UK Extension, and/or (3) the Swiss-U.S. Framework. At this time, certifying organizations may rely on the Framework to receive personal data from the EU. Certifying organizations will be able to rely upon the UK Extension and the Swiss-U.S. Framework to transfer personal data from those countries once those countries announce an effective date for their recognition of the adequacy decision.

New Participant Requirements.

The self-certification process for new participants to the Framework requires companies to disclose certain information to the U.S. Department of Commerce’s International Trade Association (ITA), as well as certify that it has adopted certain policies and procedures. Specifically, an organization must: (1) provide a description of its activities with respect to all personal data received from the EU; (2) include a copy of its privacy policy; (3) describe the independent resource mechanism it will use to investigate unresolved complaints where applicable; and (4) describe its method for verifying its attestations and assertions. The Framework, like the Privacy Shield, requires organizations to certify that they comply with a set of requirements governing participating organizations’ use and treatment of personal data received from the European Union. The requirements include seven commonly recognized privacy principles, such as notice, choice, access, and security, as well as sixteen equally binding supplemental principles that explain and augment those seven privacy principles.

After providing the requisite information and certifying to complying with the Framework’s requirements, an organization must await approval from ITA where it will then be added to a list of DPF participants. Organizations must pay an annual fee and recertify annually in order to maintain certification.

Former EU-U.S. Privacy Shield Participants.

Organizations that previously self-certified under the EU-U.S. Privacy Shield Framework Principles (Privacy Shield) and kept this certification active post-Schrems II, must comply with the requirements of the Framework, which imposes similar substantive obligations as the Privacy Shield. However, organizations additionally are required to make some discrete changes in order to comply with the Framework, such as updating privacy policies to include references to the “EU-U.S. Data Privacy Framework Principles.” Any such changes must be implemented within three months of the effective date of the Framework—by October 10, 2023. Notably, the updates to the Framework and the additional three months to comply do not affect an organization’s re-certification due date, which remains the same as it was under the Privacy Shield.

Lastly, if an organization previously self-certified with the Privacy Shield but does not wish to participate in the Framework, it must complete the Framework’s withdrawal process.

***

Wiley’s Privacy, Cyber & Data Governance Team has helped companies of all sizes from various sectors proactively address risks and comply with new privacy laws and requirements. Please contact Joan Stewart (jstewart@wiley.law) or Tyler Bridegan (tbridegan@wiley.law) if your organization needs assistance in understanding, complying with, or certifying to the Framework.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek