Your OSS for the EU-US DPF

Read more on the background below.

Latest news (2024):

On 5 Nov, the EDPB announced their first DPF report and also shared a statement:

The European Commission concludes that the DPF 'functions effectively' and will do another review in three years:

Grab the full PDF here:

• 28 Aug: An interesting read by Christopher Kuner on Strengthening the EU Legal Edifice for Data Transfers
• 14 Aug: The Swiss Federal Council approved the Swiss-US DPF for transfers to certified US companies
• ⏰ 9 Aug: The Commission seeks stakeholder feedback on the DPF one-year review. Open till 6 September.
• 19 July: Joint Press Statement: Commissioner Reynders and US Secretary of Commerce Raimondo on the first periodic review of the DPF
• 17 July: EDPB press release mentions EU-US DPF FAQs. Direct links to download PDFs:
  • EU-US DPF FAQ for European individuals
  • EU-US DPF FAQ for European businesses
• 24 April: EDPB clarifies implementation DPF redress mechanisms

💡 If the EU-US DPF is relevant, you should read through the EDPB's documents.

Generally, if you're in the EEA and (want to) transfer personal data via the DPF:

1. Verify on the DFP website that the US company has an active certification. Remember that their certification must be renewed annually—meaning you must check it annually
2. Check that it covers the data you want to transfer (HR data isn’t covered automatically)

If you’re transferring to a subsidiary of a DPF-certified parent company, you must check that the parent’s certicification also applies to them.

Key information

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, concluding that the US ensures a level of protection for personal data transferred from the EU to the US that's comparable to that of the EU—in certain instances.

And not all self-certifications cover 'HR Data', so make sure you check if this is relevant to your transfers.

PS: At the time, Max Schrems announced that they (noyb) will challenge the new framework, so keep in mind that the DPF might also go for a CJEU round. (And, the US is just one territory - we still have to do TIAs and supplementary measures for other third countries...)

Key resources & links

• 🇺🇸 certification website and Key Requirements for DPF Program Participating Organizations
• Download the actual implementing decision here: Adequacy decision for the EU-US Data Privacy Framework
• 🇪🇺 Q&A (also see print friendly PDF at the end of the page) and Factsheet
• The EC's page on Adequacy decisions
• The EC's page on the International dimension of data protection: how personal data transferred between the EU and US is protected for both the Commercial sector and Law enforcement cooperation (this page links to many of the links already listed here)

Archive links 2022-2023

• 🇫🇷 CNIL FAQ for French entities implementing the DPF (question 11 updated 17 July 2024)
• 🇪🇺 19 July EDPB's press release with link to their DPF information note
• 🎥 14 July iapp LinkedIn event with Caitlin Fennessy (IAPP) and Alex Greenstein (Director DPF, U.S. Department of Commerce): The DPF in practice where they also addressed some key questions
• 🇺🇸🇪🇺17 July Press release U.S. Departments of Commerce and Justice and the European Commission Reaffirm Shared Values, Welcome Finalized EU-U.S. Data Privacy Framework
• 🇪🇺 10 July Press release: European Commission adopts new adequacy decision for safe and trusted EU-US data flows and Press conference with Commissioner Didier Reynders
• 🇺🇸 10 July Statement from President Joe Biden on EU Adoption of Adequacy Decision for U.S.-EU Data Flows
• 🇺🇸 10 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework
• 💜 14 August noyb: 23 years of illegal data transfers due to inactive DPAs and new EU-US deals
• 💜 10 July noyb's reaction to the DPF announcement: New Trans-Atlantic Data Privacy Framework largely a copy of "Privacy Shield". noyb will challenge the decision
• 🇪🇺 12 Oct The General Court rules against interim measures to pause the implementation of the DPF (Latombe's challenge)
• 7 Sep Politico reports that MP Philippe Latombe challenges the DPF
• 18 July iapp article A guide to the attorney general’s finding of 'reciprocal' privacy protections in EU ("qualifying states")
• 🇳🇴 Datatilsynets spørsmål og svar
• 🇩🇰 Datatilsynets spørgsmål og svar
• 🇸🇪 Integritetsskyddsmyndigheten (IMY) has just posted a simple note
• 🇺🇸 3 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework
• 🇺🇸 20 June U.S. Department of Justice Memorandum in Support of Designation of the European Union and Iceland, Liechtenstein and Norway as Qualifying States Under Executive Order 14086 (PDF direct link)
• 🇪🇺 25 March Factsheet – Transatlantic Data Privacy Framework
• 🇺🇸 25 March Fact sheet from the White House: United States and European Commission Announce Trans-Atlantic Data Privacy Framework
• 💜 13 December noyb's reaction to the Draft adequacy decision: Statement on US Adequacy Decision by the European Commission
• 🇪🇺 13 December Press release: Commission starts process to adopt adequacy decision for safe data flows with the US
• 🇪🇺 13 December The actual Draft adequacy decision
• 🇪🇺 13 December Q&A on the Draft adequacy decision
• 🇪🇺 7 October Q&A (web, also see handy PDF at the end of the page)
• 🇺🇸 7 October Statement on the Executive Order from the U.S. Secretary of Commerce
• 🇺🇸 7 October Fact sheet from the White House: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework
• 💜 7 October noyb's first reaction and summary: Executive Order on US Surveillance unlikely to satisfy EU law
• 💜 7 October Direct download (PDF) to noyb's structured (very helpful!) version of the Executive Order with bookmarks down to layer 3