5 minute read | July.18.2023
On July 10, 2023, the European Commission formally approved the EU-U.S. Data Privacy Framework (“DPF"). You can view our brief video discussion about the DPF or read our initial update.
Companies that maintained their Privacy Shield certifications naturally have questions about how their previous certification will work with the new DPF, and whether it will give them any kind of advantage or "skip the queue" privileges in the new regime.
We have outlined below what companies need to know about the new DPF Program certification. We will provide updates as more information becomes available.
Although organizations are theoretically able to certify to and rely on the DPF for receiving personal data from organizations subject to the GDPR as of July 10, 2023, the DPF Program website is not yet fully functional.
The new DPF website went live on Monday July 17, 2023. The Privacy Shield Programme website went offline on July 14, 2023.
Companies with active accounts on the Privacy Shield Program site will be able to use those credentials to log into their accounts on the new DPF Program site.
Companies that are not currently certified to the Privacy Shield program will also be able to create an account and apply for DPF Program certification after the new DPF site goes live.
Companies who are currently still certified to the Privacy Shield do not need to make a separate, initial self-certification to the DPF. They will be switched over to the DPF automatically and can begin relying on the DPF immediately. They will, however, need to comply with the DPF, including updating their privacy policies and renaming the privacy principles to reflect the DPF, before October 10, 2023.
The annual re-certification due date under the DPF will be the same as the relevant re-certification date under the company's Privacy Shield certification.
Companies with current Privacy Shield certifications that do not wish to participate in the DPF must complete the process to formally withdraw from the Privacy Shield / DPF Programs as set out on the DPF website.
It is likely that companies that previously withdrew from the Privacy Shield will need to submit a new application to certify to the DPF, but it is unclear how the automatic switchover to the DPF will affect companies that let their prior Privacy Shield certification lapse but did not formally withdraw. Presumably, these companies with lapsed certifications will not be able to rely on the benefits of the DPF program until they take steps to ‘re-certify’ under the DPF program or, potentially, submit a new application for certification. We expect more information will be available once the DPF program website goes live.
Companies who had a Privacy Shield programme account can use the same account credentials to log into the DPF website.
The Swiss-U.S. DPF principles will go into effect on July 17, 2023. The same process as set out above for the EU DPF will apply:
However, companies cannot rely on the Swiss DPF for data transfers until it is recognised by the Swiss Federal Administration.
A UK extension to the DPF (known as the "Data Bridge") is expected shortly but has not yet been approved on the UK side.
U.S. companies that wish to rely on the Data Bridge can self-certify as of July 17, 2023. However, they cannot rely on the Data Bridge for data transfers until it is implemented by the UK government.
Companies looking to self-certify to the EU-U.S. DPF, the Swiss-US DPF and the UK extension, and companies with current active Privacy Shield certifications should therefore have the following key dates in mind: