EU-US Data Privacy Framework
The EU-US Data Privacy Framework is an adequacy-based mechanism letting EU personal data flow to self-certified US organizations that adhere to its privacy principles. It replaced Privacy Shield and is enforced by the FTC.
Overview
The EU-US Data Privacy Framework (DPF) is a mechanism for lawful transfer of personal data from the European Union to the United States. It was established following a European Commission adequacy decision adopted in July 2023. The DPF is the successor to the invalidated Safe Harbor and Privacy Shield frameworks, redesigned to address the concerns raised by the Court of Justice of the EU in the Schrems II judgment.
The DPF allows EU organizations to transfer personal data to US companies that self-certify their adherence, without needing additional transfer tools such as standard contractual clauses for those flows. It is accompanied by US commitments to limit intelligence access to data and to provide redress, including a Data Protection Review Court.
Who It Applies To
The DPF applies to US organizations subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation that choose to self-certify. Once certified, they can receive EU personal data under the adequacy decision. EU data exporters benefit by being able to rely on the framework for transfers to certified recipients. The UK and Switzerland have parallel extensions.
Key Requirements
Participating US organizations must self-certify to the Department of Commerce, publicly commit to the DPF Principles (covering notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse), provide individuals with redress mechanisms, and recertify annually. They must cooperate with EU data protection authorities for certain data types and submit to FTC enforcement of their commitments.
Penalties for Non-Compliance
Organizations that fail to uphold their certified commitments can face FTC enforcement for unfair or deceptive practices, including orders and penalties. Persistent non-compliance can lead to removal from the framework, after which they can no longer rely on it for transfers and may need alternative transfer mechanisms.
How to Comply
US organizations should self-certify, implement the DPF Principles in policies and contracts, establish independent recourse and redress, and recertify each year. EU exporters should verify that recipients are actively certified for the relevant data categories before relying on the framework, and monitor the framework's legal status, since further challenges are possible.