EU-U.S. Data Privacy Framework (EU-U.S. DPF)

Cyber security concept with lockThe United States Council for International Business (USCIB) advances the global interests of American business both at home and abroad.  It is the American affiliate of the International Chamber of Commerce (ICC), the Business and Industry Advisory Committee (BIAC) to the OECD, and the International Organisation of Employers (IOE).  As such, it has agreed to act as a trusted third party on behalf of the European Union (EU) data protection authorities (EU DPAs).

Background

The EU-U.S. Data Privacy Framework (EU-U.S. DPF), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from EU member countries to companies in the United States, requires that participating U.S. companies have in place appropriate independent recourse mechanism/s (IRMs) for dispute resolution.  Any company may choose the EU Data Protection Authorities (EU DPAs) to serve as an IRM for dispute resolution; however, any company that wishes to cover ‘human resources data’ (i.e., personal information about employees, past or present, collected in the context of the employment relationship) under its self-certification of compliance pursuant to the EU-U.S. DPF must use the EU DPAs as the IRM for that category of data.

On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. DPF entered into force. The EU-U.S. DPF Principles entered into effect as of the same date. U.S. based organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles must comply with the EU-U.S. DPF Principles, including by updating their privacy policies by October 10, 2023. Those organizations do not need to make a separate, initial self-certification submission to participate in the EU-U.S. DPF and may begin relying immediately on the EU-U.S. DPF adequacy decision to receive personal data transfers from the European Union / European Economic Area. The updating and renaming of the privacy principles under the EU-U.S. DPF does not change such an organization’s re-certification due date. Organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles, but do not wish to participate in the EU-U.S. DPF must complete in accordance with International Trade Administration (ITA) procedures the withdrawal process referred to in section (f) of the Supplemental Principle on Self-Certification.

Effective July 17, 2023, eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-U.S. DPF may do so; however, they may not begin relying on the UK Extension to the EU-U.S. DPF to receive personal data transfers from the United Kingdom (and Gibraltar) before the date that the United Kingdom’s anticipated adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. Organizations that wish to participate in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF.

On July 17, 2023, the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles will enter into effect. Organizations that self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles must comply with the Swiss-U.S. DPF Principles, including by updating their privacy policies by October 17, 2023. Those organizations do not need to make a separate, initial self-certification submission to participate in the Swiss-U.S. DPF; however, they may not begin relying on the Swiss-U.S. DPF to receive personal data transfers from Switzerland until the date of entry into force of the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-U.S. DPF. The updating and renaming of the privacy principles under the Swiss-U.S. DPF would not change such an organization’s re-certification due date. Organizations that self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles, but do not wish to participate in the Swiss-U.S. DPF, must complete in accordance with ITA procedures the withdrawal process referred to in section (f) of the Supplemental Principle on Self-Certification.

For all companies that have chosen or are required to use the EU DPAs as the IRM for dispute resolution (i.e., have agreed to cooperate with and comply with the advice of the EU DPAs concerning the investigation and resolution of complaints brought under the EU-U.S. DPF Principles), an annual fee must be paid to the USCIB in the amount of US $50.00 to cover the operating costs of the EU DPA panel. The USCIB has agreed to serve as the custodian of the funds collected through the EU DPA panel fee, but does not itself serve as an IRM.

Payment to USCIB

You may use the following link to pay US $50.00 to cover the operating costs of the EU DPA panel — https://dataprivacyframework.uscib.org/. A company’s payment of this fee to USCIB does not obviate the need for that company to self-certify its commitment to the EU-U.S. DPF. Information concerning the self-certification process under the Data Privacy Framework (DPF) program administered by the U.S. Department of Commerce, and other resources concerning the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF is available on the Department’s DPF program website: https://www.dataprivacyframework.gov/.

Staff Contact:   Barbara Wanner

VP, Digital Policy
Tel: 202.617.3155

Barbara Wanner directs USCIB’s work on information, communications and technology issues. She works with members and government officials on a wide range of international business issue that include advocating for the continuation of the multi-stakeholder model of Internet governance and for policies aimed at promoting the stability, openness and innovative flexibility of the Internet. She represents USCIB members’ interests in several international forums, including the UN, APEC and the OECD.
Read More

Related Content