EU-U.S. Data Privacy Framework: Next Steps for U.S. Companies

On July 10, 2023, the European Commission formally approved the EU-U.S. Data Privacy Framework (“DPF"). You can view our brief video discussion about the DPF or read our initial update. 

Companies that maintained their Privacy Shield certifications naturally have questions about how their previous certification will work with the new DPF, and whether it will give them any kind of advantage or "skip the queue" privileges in the new regime.

We have outlined below what companies need to know about the new DPF Program certification. We will provide updates as more information becomes available.

When will we be able to certify?

Although organizations are theoretically able to certify to and rely on the DPF for receiving personal data from organizations subject to the GDPR as of July 10, 2023, the DPF Program website is not yet fully functional. 

The new DPF website went live on Monday July 17, 2023. The Privacy Shield Programme website went offline on July 14, 2023.

Companies with active accounts on the Privacy Shield Program site will be able to use those credentials to log into their accounts on the new DPF Program site.

Companies that are not currently certified to the Privacy Shield program will also be able to create an account and apply for DPF Program certification after the new DPF site goes live.

We are still certified under Privacy Shield – what happens now?

Companies who are currently still certified to the Privacy Shield do not need to make a separate, initial self-certification to the DPF. They will be switched over to the DPF automatically and can begin relying on the DPF immediately. They will, however, need to comply with the DPF, including updating their privacy policies and renaming the privacy principles to reflect the DPF, before October 10, 2023.

The annual re-certification due date under the DPF will be the same as the relevant re-certification date under the company's Privacy Shield certification.

Companies with current Privacy Shield certifications that do not wish to participate in the DPF must complete the process to formally withdraw from the Privacy Shield / DPF Programs as set out on the DPF website.

We were previously certified under Privacy Shield, but our certification is not active – what happens now?

It is likely that companies that previously withdrew from the Privacy Shield will need to submit a new application to certify to the DPF, but it is unclear how the automatic switchover to the DPF will affect companies that let their prior Privacy Shield certification lapse but did not formally withdraw. Presumably, these companies with lapsed certifications will not be able to rely on the benefits of the DPF program until they take steps to ‘re-certify’ under the DPF program or, potentially, submit a new application for certification. We expect more information will be available once the DPF program website goes live.

Companies who had a Privacy Shield programme account can use the same account credentials to log into the DPF website.

What about Swiss transfers?

The Swiss-U.S. DPF principles will go into effect on July 17, 2023. The same process as set out above for the EU DPF will apply:

• Companies can self-certify to the Swiss-U.S. DPF from July 17, 2023
• Companies with a current Swiss Privacy Shield certification will automatically be switched over to the Swiss DPF and must update their privacy principles and privacy policies by October 17, 2023

However, companies cannot rely on the Swiss DPF for data transfers until it is recognised by the Swiss Federal Administration.

What about UK transfers?

A UK extension to the DPF (known as the "Data Bridge") is expected shortly but has not yet been approved on the UK side.

U.S. companies that wish to rely on the Data Bridge can self-certify as of July 17, 2023. However, they cannot rely on the Data Bridge for data transfers until it is implemented by the UK government.

What are the key dates?

Companies looking to self-certify to the EU-U.S. DPF, the Swiss-US DPF and the UK extension, and companies with current active Privacy Shield certifications should therefore have the following key dates in mind:

• July 10, 2023: The DPF becomes effective. Companies with a current active Privacy Shield certification can rely on the DPF immediately.
• July 14, 2023: The Privacy Shield website goes down.
• July 17, 2023: The Swiss DPF becomes effective. Companies with a current active Swiss Privacy Shield certification will transition to Swiss-DPF certification but cannot rely on the Swiss DPF until it is recognized by the Swiss Federal Administration.
• July 17, 2023: The DPF website goes live. Organizations can self-certify their compliance to the EU and Swiss DPFs.
• July 17, 2023: Organizations can self-certify their compliance to the UK extension to the DPF (known as the "Data Bridge") as an add-on to the EU DPF, but cannot rely on it as a valid transfer mechanism under the UK GDPR until the Data Bridge is implemented by the UK government.
• October 10, 2023: The deadline for organizations with current active Privacy Shield certifications that automatically switched over to the DPF to update their privacy principles and privacy policies to reflect the requirements of the DPF.
• October 17, 2023: The deadline for organizations with current active Swiss Privacy Shield certifications that automatically switched over to the Swiss DPF to update their privacy principles and privacy policies to reflect the requirements of the Swiss DPF.