What Is the EU-US Data Privacy Framework (DPF) Program?

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: December 20, 2024

EU-US-Data-Privacy-Framework-(DPF)-Program-Overview-01

On July 10, 2023, the European Commission announced it adopted an adequacy decision under the EU-U.S. Data Privacy Framework (DPF).

You can now make legal data transfers from the EU to the U.S., as long as your business self-certifies with the data protection measures outlined by the program.

But some uncertainty still exists regarding the long-term future and sustainability of the EU-U.S. DPF Program.

In this guide, I’ll teach you everything you need to know about the DPF Program, walk you through the compliance process, and explain the interesting history of international data transfers between the U.S. and the European Union.

Table of Contents
  1. What Is the Data Privacy Framework (DPF) Program?
  2. Who Does the Data Privacy Framework Program Affect?
  3. What Do Businesses Need To Know About the DPF?
  4. What Are the Key Requirements of the Data Privacy Framework?
  5. Who Enforces the Data Privacy Framework Program?
  6. A Brief History of the EU-U.S. Data Privacy Framework
  7. How Termly Helps With Data Privacy Compliance
  8. Summary

What Is the Data Privacy Framework (DPF) Program?

The Data Privacy Framework (DPF) program is an adequacy decision developed to facilitate transatlantic commerce and provide a reliable mechanism for the transfer of personal data from the EU, the European Economic Area (EEA), the United Kingdom (U.K.), Gibraltar, and Switzerland to the United States.

It ensures that U.S. data processors adequately comply with EU, U.K., and Switzerland data protection laws like the GDPR, the U.K. GDPR, and the Federal Data Protection Act (FDPA).

It technically consists of the following three key frameworks to account for each location:

  1. The EU-U.S. Data Privacy Framework (EU-U.S. DPF)
  2. The U.K. Extension to the EU-U.S. Data Privacy Framework (U.K. Extension to the EU-U.S. DPF)
  3. The Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

What Is an Adequacy Decision?

An adequacy decision is a formal process by the European Commission denoting that a third country or international organization can adequately protect personal information from individuals in the EU, EEA, U.K., and Switzerland.

The General Data Protection Regulation (GDPR) requires an adequacy decision for international transfers to take place without further approval from a governing authority.

It was adopted by EU lawmakers in 2023 and a website for the DPF framework was developed which lists all businesses that are part of the program.

Who Does the Data Privacy Framework Program Affect?

The DPF program affects entities in the United States who want to transfer personal data from individuals in the EU, EEA, U.K., Gibraltar, and Switzerland to U.S.-based servers.

In this next section, I’ll briefly cover a few more details about who is impacted by the three privacy frameworks created by this program.

EU-U.S. DPF

The EU-U.S. Data Privacy Framework applies to transferring personal data from individuals in the EU and EEA to participating organizations in the United States who have consistent data processing practices with EU law — in this case, the GDPR.

The EU-U.S. DPF Principles went into effect on July 10, 2023.

U.K. Extension to the EU-U.S. DPF

The U.K. Extension to the EU-U.S. Data Privacy Framework pertains to U.S. entities seeking to transfer the personal data of individuals from the U.K. or Gibraltar to servers located in the United States. It enables those U.S. organizations to self-certify compliance under the DPF.

The U.K. Extension to the EU-U.S. DPF was adopted on July 17, 2023 and entered into force on October 12 that same year.

Swiss-U.S. DPF

The Swiss-U.S. Data Privacy Framework applies to U.S. entities that want to transfer the personal information of individuals in Switzerland to U.S.-based servers.

The Swiss-U.S. DPF Principles were adopted on August 14, 2024 and went into effect on September 15 the same year.

“US businesses operating in the EU market will reap great benefits from the Data Privacy Framework. The DPF will allow US businesses to access and handle EU data without having to carry out transfer impact assessments, incorporating SCCs, or taking any additional steps.” – Ali Talip Pınarbaşı, CIPP/E, & LLM

What Do Businesses Need To Know About the DPF?

There are several essential considerations businesses must keep in mind under this new Data Privacy Framework Program.

EU-U.S. DPF Program and Participation

Under the DPF Program, U.S. organizations can choose to self-certify their compliance with specific frameworks.

But it’s important to note that participation in the U.K. Extension to the EU-U.S. DPF specifically requires prior participation in the EU-U.S. DPF.

Compliance Under the EU-U.S. DFP Program

Organizations that previously self-certified compliance with the EU-U.S. Privacy Shield or the Swiss-U.S. Privacy Shield must now comply with the relevant DPF Principles to continue enjoying the benefits of the respective frameworks.

Data Privacy Framework List

To rely on the DPF Principles for data frameworks, organizations must be on the Data Privacy Framework List.

The International Trade Administration (ITA) updates this list based on annual re-certification submissions and may remove non-compliant organizations.

Resources For the EU-U.S. DPF Framework

The ITA provides resources and FAQs to assist organizations interested in self-certifying their compliance with the DPF frameworks.

“Businesses must include in their privacy policy a public declaration of their commitment to comply with the Principles of the Data Privacy Framework and inform the individuals about their rights granted by the Framework. It is also important for businesses to only process the personal data that is relevant for the purpose of processing and comply with the data retention provisions.” – Teodor Stanciu, CIPP/E, CIPM

What Are the Key Requirements of the Data Privacy Framework?

To self-certify compliance with the EU-U.S. DPF Program, you must meet specific requirements, so let’s go over those together.

Informing Individuals About Data Processing

Under the EU-U.S. DPF Program, you must inform individuals about your data processing activities through a comprehensive privacy policy.

Your privacy policy must declare your organization’s commitment to complying with the DPF Principles and is enforceable under U.S. law.

You must also include links to the DPF program website and independent recourse mechanisms for individuals to submit complaints for investigation.

Additionally, the contents of your privacy policy must inform individual users of their data access rights, disclosure requirements to public authorities, enforcement jurisdiction, and onward data transfer liability.

Providing Free and Accessible Dispute Resolution

You must provide free dispute resolutions and respond to individual user complaints within 45 days to self-certify with the EU-U.S. DPF Program.

You must provide an independent recourse mechanism to resolve complaints and disputes at no cost.

The ITA facilitates the resolution process regarding submitted complaints to Data Protection Authorities within a 90-day timeframe.

You must also make binding arbitration available if complaints aren’t resolved through other mechanisms.

Cooperating With the U.S. Department of Commerce

Another requirement under the EU-U.S. DPF program includes cooperating with the U.S. Department of Commerce regarding inquiries or requests sent to the ITA.

Specifically, you must respond promptly to all requests related to the DPF program.

Maintaining Data Integrity and Purpose Limitation

Per the EU-U.S. DPF Program, you must limit your collection of personal information to only what is relevant to the purposes you described for processing the data.

Under the GDPR, this is also known as your legal basis.

Additionally, you also need to comply with all GDPR data retention provisions. This requirement means you can only retain the data for as long as it takes to achieve the purposes you described for processing the information.

Ensuring Accountability for Data Transferred to Third Parties

To transfer data to a third-party controller, organizations must comply with what’s referred to as the Notice and Choice Principles and enter into a contract ensuring limited and specified purposes and protection levels.

“Notice and Choice Principles” essentially means providing individuals with a notice of what personal information you’re collecting and providing them with a choice over how that information gets processed or used.

Organizations must ensure limited purposes and privacy protection to transfer data to a third-party agent and take measures for proper processing.

Transparency Related to Enforcement Actions

Another key requirement under the EU-U.S. Data Privacy Framework Program involves transparency regarding compliance reports.

Organizations must make relevant DPF-related sections of their compliance reports public if subject to Federal Trade Commission (FTC) or court orders based on non-compliance under the data protection regulations.

Ensuring Commitments Are Kept as Long as Data Is Held

Entities are subject to certain privacy commitments if they leave the DPF Program but want to retain the personal data collected.

Notably, after exiting, organizations must annually affirm their commitment to applying all DPF principles to the retained data or provide adequate protection through other authorized means.

Who Enforces the Data Privacy Framework Program?

Part of the U.S. Department of Commerce, the International Trade Administration or ITA administers the DPF program.

Eligible U.S.-based organizations can self-certify their compliance with the EU-U.S. DPF, the U.K. Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF through the ITA’s Data Privacy Framework (DPF) program website.

Once an organization self-certifies its compliance, it must adhere to the DPF Principles, which are enforceable under U.S. law.

A Brief History of the EU-U.S. Data Privacy Framework

As promised, I’m about to cover the history of personal data transfers between the U.S. and Europe to help you understand how we got to the EU-U.S. Data Privacy Framework Program — and shed some light on why people are already discussing a possible Schrems III case.

The Safe Harbor Framework and Schrems I

In 2000, the Safe Harbor Framework dictated international data transfers between the U.S. and Europe. This agreement was in place for over a decade and allowed for data to cross between borders without relying on Standard Contractual Clauses or SCCs.

It outlined seven key principles, which include:

  • Notice
  • Choice
  • Onward transfer
  • Security
  • Data integrity
  • Access
  • Enforcement

But on October 6, 2015, the Court of Justice of the European Union (CJEU) issued a judgment invalidating the Safe Harbor Agreement.

Their reasoning?

Max Schrems, an Austrian privacy activist and lawyer who was a law student at the time, filed a complaint to the Irish Data Commissioner stating that Facebook Ireland illegally shared his personal information with the U.S. government.

Known as Schrems I, this case came after the Edward Snowden revelations exposed the National Security Agency’s (NSA) surveillance program.

Because the GDPR only allows access to personal data when it’s strictly necessary, and U.S. laws allow for government agencies to have broader access to that information, the CJEU overturned the Safe Harbor Program.

The EU-U.S. Privacy Shield and Schrems II

On July 12, 2016, the European Commission replaced the Safe Harbor Framework with the EU-U.S. Privacy Shield.

Designed in collaboration between the U.S. Department of Commerce and the European Commission, the EU-U.S. Privacy Shield was overturned by the CJEU on July 16, 2020, citing that U.S. laws didn’t protect personal data from the EU following the GDPR.

Again, this resulted from a case between Schrems and Facebook Ireland, known as Schrems II.

Schrems updated his original complaint, claiming Facebook continued to transfer his personal data to the U.S. illegally.

This case upheld the use of Standard Contractual Clauses or SCCs to provide adequate levels of protection.

It took three years of debate, drafting, and redrafting for the European Commission and the U.S. government to agree to the current EU-U.S. Data Privacy Framework Program.

The Future of the DPF Program

So what does the future of the Data Privacy Framework Program look like?

At this point, things seem up in the air.

The EU-US DPF holds significant promise for safeguarding the data of European consumers as it enables the transfer of personal information from the EEA to the U.S.

However, potential challenges are on the horizon, making it vital for businesses to stay informed and cautious about transferring personal data.

A Possible Schrems III On the Horizon?

In my opinion, the DPF is a welcome development, aiming to balance protecting privacy rights and facilitating necessary data transfers.

Although experts deem the new redress mechanism robust, it is worth mentioning that Max Schrems (and his group NOYB) intend to challenge the framework legally.

As privacy-conscious consumers, we must understand that the DPF will be subject to yearly reviews.

Periodic evaluations showcase the unwavering dedication of the authorities in proactively addressing potential threats to consumer privacy.

To protect our data effectively, we should consider supplementing our data transfers to the U.S. with extra measures. It’s critical to be cautious when dealing with transfers not included in the official “Data Privacy Framework List.”

For such cases, using supplementary measures, such as standard data protection clauses or binding corporate rules, can provide an extra layer of security.

If a consumer believes their privacy rights have been violated, they have the option to file a complaint with the national data protection authority and take advantage of the recently introduced redress mechanism.

The possibility of state-level collaboration within the U.S., particularly with California’s privacy frameworks, opens up avenues for even more robust data protection measures showing that authorities are actively exploring ways to enhance privacy for consumers, but it also highlights the complex nature of cross-border data protection.

In conclusion, the EU-US Data Privacy Framework is a significant step forward in protecting personal data during cross-border transfers.

Supplementing data transfers with extra safeguards, especially for those not covered by the framework, is a smart move to safeguard your business.

Remember, your privacy is in your hands.

“The Data Privacy Framework has brought long awaited clarity for businesses on both sides of the Atlantic, and greatly simplifies the procedures needed for EU-US Transfers. However, this is unlikely to be the last twist in the tale, and the prospect of further legal challenges are on the horizon. Considering the similarities of the Framework to the previous ‘Privacy Shield’, it is key that the new monitoring and enforcement mechanisms established in the Framework are demonstrated to be effective to ensure its long-term viability.” – James Ó Nuanáin, CIPP/E, CIPM, CIPT

How Termly Helps With Data Privacy Compliance

If you need to comply with laws like the GDPR, Termly is your one-stop shop.

Backed by our legal team and data privacy experts, we’ve got everything you need, from a legally compliant Privacy Policy Generator to a customizable Consent Management Platform (CMP) that you can configure to meet opt-in and opt-out consent requirements.

We also provide additional necessary website and legal policies to help businesses of all kinds streamline customer services and better protect themselves and their consumers online, like our Terms and Conditions Generator and Return and Refund Policy Generator.

We offer free and paid options. Termly Pro+ users get access to everything we offer.

Summary

The EU-U.S. Data Privacy Framework program impacts businesses and consumers around the globe who want to safely transfer data from the EU/EEA and the U.S.

But the conversation around international data transfers from Europe to the U.S. probably won’t stop here. 

You can trust that Termly will be here to keep up with news about this adequacy decision and any potential changes if there’s a future update.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources