Mandatly Knowledge Base
What is the New EU-U.S. Data Privacy Framework?
The EU-U.S. Data Privacy Framework (DPF) is a new transatlantic data transfer agreement that governs how personal data can be lawfully transferred from the European Union (EU) to the United States (U.S.) under the General Data Protection Regulation (GDPR).
This framework was formally approved by the European Commission on July 10, 2023, through an adequacy decision. It replaces the invalidated Privacy Shield Framework, which was struck down in 2020 by the Court of Justice of the EU (CJEU) in the well-known Schrems II ruling due to concerns over U.S. government surveillance and inadequate redress mechanisms for EU citizens.
Why Was the EU-U.S. Data Privacy Framework Introduced?
After the Schrems II decision, companies on both sides of the Atlantic struggled with cross-border data transfers. The new Data Privacy Framework aims to address these concerns by:
- Requiring U.S. companies to self-certify annually through the U.S. Department of Commerce’s DPF program.
- Mandating stronger data protection obligations and redress mechanisms.
- Creating a new Data Protection Review Court (DPRC) for EU individuals to file complaints if their data is mishandled.
Who Can Use the EU-U.S. DPF?
Any U.S.-based organization involved in processing personal data of individuals in the EU can participate. Businesses must:
- Join the DPF self-certification list via www.dataprivacyframework.gov.
- Update their privacy policies to reflect compliance with the DPF principles.
- Respond to individual data access or correction requests in line with GDPR requirements.
Important for GDPR Compliance:
The DPF is part of broader GDPR compliance when it comes to transferring data outside the EEA. Organizations should:
- Understand if they fall under the scope of GDPR’s international data transfer rules.
- Choose appropriate data transfer mechanisms (like Standard Contractual Clauses or the DPF).
- Review Articles 44–50 of the GDPR on international transfers.