Operational update on EU-U.S. DPF implementation and transition for Privacy Shield participants

According to the Update, Privacy Shield participants who have maintained their certifications should note that while they may begin relying immediately on the DPF, they will need to come into compliance with the “EU-U.S. Data Privacy Framework Principles” (DPF Principles) by 10 October 2023. Because the DPF Principles largely track the Privacy Shield principles, the primary action item will be to clarify in privacy notices directed to EU individuals that their personal data is transferred to the U.S. under the DPF, and to confirm that the notices contain all disclosures required under the DPF notice principle. Likewise, for companies whose data processing agreements with third parties specifically reference the Privacy Shield, those agreements should be updated to instead reference the DPF.

While Privacy Shield participants do not need to separately self-certify to the DPF (i.e., Privacy Shield certifications are being converted to DPF certifications), they should note that their annual re-certification schedule under the Privacy Shield will remain unchanged. So, participants whose re-certification under the Privacy Shield is required prior to the 10 October 2023 compliance deadline, should be prepared to demonstrate compliance with the DPF Principles at the time of their re-certification.

There also is a significant implication of the automated conversion for Privacy Shield participants who do not wish to participate in the DPF, which is that these participants will need to formally discontinue participation in the DPF through the established process (failure to do so has been the subject of most Privacy Shield enforcement actions, as we describe here). Now that the program is rebooting, existing participants cannot merely avoid relying on it or allow their certifications to lapse.

The Update advises that the Privacy Shield website (including its list of program participants) will go offline on 14 July 2023 and will be replaced by the DPF program website on 17 July 2023. Once the DPF program website is online, new program participants will be able to self-certify compliance with the DPF.

The Update also provides important updates for trans-Atlantic data transfers from Switzerland and the United Kingdom (UK):

• The Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) will follow the same implementation process as the EU-U.S. DPF. Organizations that self-certified their compliance with the Swiss-U.S. Privacy Shield Framework Principles must comply with the Swiss-U.S. DPF Principles, including by updating their privacy notices by 17 October 2023. New participants can self-certify starting on 17 July 2023.
• Trans-Atlantic transfers from the UK will be handled through a “UK Extension” to the DPF. While companies can begin self-certifying participation to the UK Extension on 17 July 2023 through the DPF program website, they will not be able to use the UK Extension until the UK adopts its own adequacy decision. Note: It appears that all companies seeking to use the UK Extension will need to separately self-certify compliance to the UK Extension, and that DPF certification is a pre-requisite for certification to the UK Extension.

Authored by: Bret Cohen and Julian Flamant.