Certification Under the EU-U.S. Data Privacy Framework

Certification Under the EU-U.S. Data Privacy Framework

Client Alert


On July 10, 2023, the European Commission adopted an adequacy decision for the new EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the successor to the EU-U.S. Privacy Shield, which the Court of Justice of the European Union deemed invalid on July 16, 2020. The U.S. Department of Commerce (“DoC”) is charged with administering and monitoring the EU-U.S. DPF program.

On July 17, 2023, the DoC International Trade Administration launched its EU-U.S. DPF website. Companies are now able to review the key requirements for participating organizations, including how to join the program and how to recertify.

How to Join or Recertify

If your company would like to participate in the EU-U.S. DPF and is not actively certified under the EU-U.S. Privacy Shield, you will have to self-certify via the DPF website. The DoC has provided a guide to self-certification, and further information in preparation for the process can be found in the DPF website’s FAQs

If your company is currently actively certified under the EU-U.S. Privacy Shield, you may begin to rely on the EU-U.S. DPF if you believe your company to be compliant. However, you will still need to update your privacy policy as soon as possible but no later than October 10, 2023. Requirements for compliant privacy policies can be found in the DPF website FAQs. An organization’s privacy policy must align with the DPF principles, specifically including each element of the notice principle, setting forth items about which a company must provide transparency to data subjects. The DoC also provides some sample language for a company to use when it represents that it is participating in the EU-U.S. DPF.

The UK and Switzerland

Parties certifying via the DPF website may also certify under the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) and the UK Extension to the EU-U.S. DPF (“UK Extension”). However, as of the time of this client alert, neither framework may be relied on for data transfers.

On June 8, 2023, the UK and the U.S. agreed to establish a “data bridge”; but the UK has yet to recognize U.S. data protection, or the protection to be provided under the UK Extension, as adequate. Until such a determination, companies may not rely on the UK Extension for data transfers from the UK to the U.S. However, the U.S. government expects that the UK government will find the program adequate at some point in the future.

Likewise, while the Swiss-U.S. DPF principles are effective as of July 17, 2023, companies cannot rely on the Swiss-U.S. DPF for data transfers until Switzerland’s adoption of an adequacy decision.

Key Aspects of the EU-U.S. DPF

Principles. Like its predecessor, the EU-U.S. DPF is based on a system of certification by which U.S. organizations commit to a set of core principles, in this case the EU-U.S. Data Privacy Framework Principles. The principles include notice; choice; accountability for onward transfers; security; data integrity and purpose limitation; access; and recourse, enforcement and liability. The principles apply immediately upon self-certification. 

Eligibility. To be eligible for certification under the EU-U.S. DPF, an organization must be subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”) or the U.S. Department of Transportation (“DoT”).

DoC compliance monitoring. In accordance with the European Commission’s adequacy decision, the DoC may carry out “spot checks” of randomly selected organizations or specific organizations when potential compliance issues are identified (e.g., reported to the DoC by third parties) to verify whether (i) point(s) of contact for handling complaints and data subject requests are available and responsive; (ii) the organization’s privacy policy is readily available, both on its website and via a hyperlink on the DoC’s website; (iii) the organization’s privacy policy complies with the certification requirements; and (iv) the organization’s chosen independent dispute resolution mechanism is available to handle complaints.

In addition, the DoC will carry out cross-checks with the FTC and DoT to verify that the organizations are subject to the oversight body identified in their certification submissions. The DoC will also work with alternative dispute resolution bodies to verify that the organizations are registered for the independent recourse mechanism identified in their certification submission.

Publication. The DoC will maintain and make available to the public the Data Privacy Framework List (the “List”) of organizations that have certified their adherence to the principles. The List will be updated on the basis of an organization’s annual recertification submission and also when an organization is removed. The European Commission’s adequacy decision requires the DoC to make available to the public a record of organizations removed from the List, along with the reason for removal.

Removal. If a company is removed from the EU-U.S. DPF, it must return or delete the personal data received under the EU-U.S. DPF. In the event an organization voluntarily withdraws, the organization must notify the DoC in advance. Furthermore, the organization must either (i) delete or return the data or (ii) retain the data, provided it affirms to the DoC on an annual basis via its annual recertification its commitment to continue to apply the principles or provides adequate protection for the personal data by another authorized means (e.g., via standard contractual clauses). Its notice of withdrawal should indicate what it plans to do with the personal data received under the EU-U.S. DPF.

False claims of certification. The DoC will be monitoring for false claims of EU-U.S. DPF certification. Any misrepresentation to the general public may be subject to enforcement action by the FTC, DoT or other relevant U.S. enforcement authorities under the False Statements Act (18 U.S.C. § 1001).

Assignment. An organization that will cease to exist due to a change in corporate status—for instance, as a result of a merger, takeover, bankruptcy or dissolution—must notify the DoC of this in advance (the contact link for this notification is forthcoming). The notification should also indicate whether the entity resulting from the change in corporate status will (i) continue to participate in the EU-U.S. DPF through an existing self-certification; (ii) self-certify as a new participant in the EU-U.S. DPF (e.g., where the new entity or surviving entity does not already have an existing self-certification through which it could participate in the EU-U.S. DPF); or (iii) put in place other safeguards to ensure continued application.

WilmerHale’s Data Privacy and Cybersecurity team is monitoring news related to international transfers of personal data and will keep you updated on further developments. We are also happy to assist with any of your certification questions, including the pros and cons of the various mechanisms for the international transfer of personal data.



Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.