10 FAQs about the New EU/US Data Privacy Framework

If your company transfers personal data from the European Union into the U.S., chances are you are aware of the EU’s rigorous data privacy regulations. In order to comply with the General Data Protection Regulation (GDPR), a company transferring data from the EU must use a transfer mechanism that has been determined to be adequate by the EU. The three primary transfer mechanisms are standard contractual clauses, binding corporate rules, and adequacy decisions issued by the European Commission (the “EC”).  

Previously, from July 2016 to July 2020, many companies relied on the EU/US Privacy Shield, a transfer mechanism arising out of an EC adequacy decision. However, in July of 2020, Privacy Shield was invalidated by the Court of Justice of the EU as a result of the Schrems II case. Following its invalidation, many companies instead relied on standard contractual clauses or SCCs (requiring signatures by data controllers and data processors), which were updated by the EC in July of 2021. Now, three years after Privacy Shield was invalidated, the EC has adopted an adequacy decision regarding a new framework to facilitate EU to US data transfers, called the EU/US Data Privacy Framework.

1.  What is the Data Privacy Framework (DPF)?
The DPF is a new data transfer mechanism, deemed adequate by the EC on July 10, 2023. This means that companies who participate in the DPF program are deemed to provide adequate data privacy protections for cross-border transfers. Note, there are related frameworks for the UK and Switzerland, which will require separate certifications.

2.  Are the DPF and Privacy Shield the same thing?
No. The DPF replaces the Privacy Shield Framework that was invalidated in July of 2020 as a result of the Schrems II case. The DPF contains “significant improvements” intended to address the concerns raised in Schrems II. Companies that kept their Privacy Shield certifications active can now fast track their DPF certifications. Otherwise, companies that do not have an active Privacy Shield certification or never certified under Privacy Shield will need to go through the entire self-certification process.    

3.  How can a company obtain DPF certification?
As specified in the DPF, a company seeking certification will need to (i) develop a privacy policy that complies with the DPF requirements, (ii) put in place an appropriate independent recourse mechanism (such as the BBB, TRUSTe, or VeraSafe), (iii) make a mandatory contribution for binding arbitration, (iv) designate an internal contact for DPF compliance, and (v) review and agree to information required to self-certify, including compliance with the DPF Principles.

4.  What are the DPF Principles?
Companies seeking a DPF certification are required to comply with the following 7 DPF Principles: (i) notice, (ii) choice, (iii) accountability for onward transfer, (iv) security, (v) data integrity and purpose limitation, (vi) access, and (vii) recourse, enforcement and liability. There are also 16 “Supplemental Principles” that DPF-certified companies must follow. Details regarding the specific requirements for each of the principles can be found here.

5.  How do I know if a company is DPF self-certified?
The list of entities who have self-certified under DPF and their current status (active or inactive) is available here. 

6.  What happens if a certified company does not comply with the DPF Principles?
In the event of a violation of the DPF Principles, a complaint may be submitted directly to either (i) the DPF-certified company or (ii) the applicable EU Data Protection Authority. In the U.S., the FTC will have enforcement authority for compliance with the DPF, and will prioritize such enforcement.  Non-compliance referrals may be submitted to the FTC by dispute resolution bodies, self-regulatory bodies, the U.S. Department of Commerce, and EU Data Protection Authorities. In some cases, claims will be submitted to the EU-US Data Privacy Framework Panel, and if a company repeatedly fails to comply, it will lose the benefits of the DPF and be removed from the DPF list.

7.  Should my company pursue DPF certification?
For a company to be eligible to self-certify under the DPF, the entity must be subject to the jurisdiction of the FTC or the Department of Transportation. If this threshold is met, a company considering DPF certification will need to evaluate the benefits of certifying under the DPF, after carefully considering factors such as the company’s ability to comply with the DPF Principles, company size, the amount of business it does in the EU, the type of services it offers, the amount of consumer data the company processes, and whether the company collects any sensitive data.

8.  Will DPF be invalidated like Privacy Shield was?
Hopefully not. Max Schrems’ privacy organization, NOYB, has already said that it will challenge the DPF (in what could be dubbed “Schrems III”). However, there is optimism that the DPF could survive a legal challenge, particularly because the DPF specifically addresses the issues raised in Schrems II, and represents a significant improvement over the Privacy Shield. Also, experts predict that it would likely take 3-4 years for a DPF challenge to wend its way through the EU court system, meaning that companies who self-certify under DPF now could enjoy operational flexibility for at least the next few years.

9.  Will DPF certification eliminate the need to use Standard Contractual Clauses (SCCs)?
Not necessarily. Due to the possibility that DPF could potentially be invalidated (as discussed above), some companies are taking a “belt and suspenders” approach, and are choosing to self-certify under DPF and to continue to rely on SCCs. Each DPF-certified company will need to decide whether to also continue using SCCs based on its own circumstances and risk tolerance.

10.  Will DPF-certified companies need to update their privacy polices?
Yes. The DPF requires that very specific information be included in a DPF-certified company’s privacy policy, including a statement that the company has self-certified under the DPF and will comply with the DPF Principles. Ensuring your privacy policy has been properly updated to include all of the necessary information is critical, and the privacy policy must be submitted for review as part of the certification process. This is yet another reason why companies should not just copy a privacy policy from another company’s website; the FTC will be actively looking for misrepresentations that a company is DPF-certified and that it complies with the DPF Principles when these statements are not true.

If you would like help determining whether to certify under DPF, completing the certification process, and/or updating your company’s privacy policy to comply with DPF, contact Virginia at [email protected].

A member of our California team, Virginia Fournier is a seasoned technology and privacy attorney with over 25 years of legal and business experience in the industry. She regularly handles a wide range of technology-related matters, including negotiating and drafting complex licensing agreements, compliance, data security and privacy, and intellectual property issues. Virginia is also a Certified Information Privacy Professional (CIPP/US and CIPP/E certifications)