Eight steps to join the Data Privacy Framework (DPF)

Brief background to EU and U.S. adequacy

EU and UK GDPR requires that – in order to transfer personal data to a third country – there needs to be an adequacy decision or appropriate safeguards equivalent to the standards imposed by GDPR (Chapter 5 GDPR). The focus of this blog is to analyse the compliance requirements for the new adequacy decision issued for the United States (US). However, before going into those details, it is crucial understand the historical background regarding the data transfers between European Union (EU) and U.S.

The first adequacy decision of the European Commission, known as U.S.-EU Safe Harbor Framework, dates back to 2000. Safe Harbor offered a mechanism for companies to lawfully transfer data from EU and U.S. In 2015 Safe Harbor was declared invalid by the European Court of Justice (CJEU). This led the European Commission to issue an adequacy decision on the EU-U.S. Privacy Shield Framework. A CJEU decision (in a case referred known as “Schrems II”) was that the Privacy Shield was also invalid (or inadequate).

On 10 July 2023, the European Commission adopted a new adequacy decision, this time known as the EU-U.S. Data Privacy Framework (DPF). This Framework addressed the issues raised in “Schrems II”. This decision means that organisations who are self-certified against the DPF do not need to rely on other safeguard mechanisms such as the Standard Contractual Clauses (SCCs).

EU-U.S. Data Privacy Framework

The EU-U.S./UK/Switzerland Data Privacy Framework (DPF) are founded on seven core principles (the DPF Principles). Please click each link for further detail.

    1. Notice
    2. Choice
    3. Accountability for Onward Transfer
    4. Security
    5. Data Integrity and Purpose Limitation
    6. Access
    7. Recourse, Enforcement and Liability


The eight steps to join the DPF

The U.S. Department of Commerce International Trade Administration (ITA) has outlined how U.S.-based organizations may join the DPF.

  1. Confirm the organisation’s eligibility to participate in the DPF Program.
  2. Develop a DPF-compliant Privacy Policy Statement.
      • Ensure the organisation’s Privacy Policy conforms to the DPF Principles.
      • Make specific reference in the Privacy Policy to the organisation’s compliance with the DPF principles.
      • Identify in the Privacy Policy the organisation’s Independent Recourse Mechanism(s).
      • Provide an accurate location for the organization’s Privacy Policy and make sure that it is publicly available.
  3. Ensure the organisation have an Appropriate Independent Recourse Mechanism for each type of Personal Data covered by its self-certification.
  4. Make the required contribution for the Annex I Binding Arbitration Mechanism.
  5. Ensure the organisation’s Verification Mechanism is in place.
  6. Designate a contact within your organization regarding DPF compliance.
  7. Review the information required to self-certify.
  8. Submit the organization’s self-certification to the ITA.


Next steps

Firstly, it is worth noting that the DPF Program is entirely voluntary. However, self-certification is a public declaration of adherence to the DPF Principles, enforceable under U.S. law by the Federal Trade Commission, the U.S. Department of Transportation (DOT), or other relevant government body. Therefore, organisations should ensure this program goes beyond a “box-ticking” exercise.

Kaleidoscope is already working with a number of U.S. clients to work through the self-certification process, so if you are interested in understanding more about DPF Programme and how to self-certify, please contact us via our website and we will be more than happy to assist.