On behalf of the U.S. Department of Commerce, the International Trade Administration’s Privacy Shield Team would like to make you aware of important developments regarding the Privacy Shield program.
Advisory:
On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework (EU-U.S. DPF) entered into force. The EU-U.S. DPF Principles entered into effect as of the same date. U.S. based organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles must comply with the EU-U.S. DPF Principles, including by updating their privacy policies by October 10, 2023. Those organizations do not need to make a separate, initial self-certification submission to participate in the EU-U.S. DPF and may begin relying immediately on the EU-U.S. DPF adequacy decision to receive personal data transfers from the European Union / European Economic Area. The updating and renaming of the privacy principles under the EU-U.S. DPF does not change such an organization’s re-certification due date. Organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles, but do not wish to participate in the EU-U.S. DPF must complete in accordance with International Trade Administration (ITA) procedures the withdrawal process referred to in section (f) of the Supplemental Principle on Self-Certification.
Effective July 17, 2023, eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-U.S. DPF may do so; however, they may not begin relying on the UK Extension to the EU-U.S. DPF to receive personal data transfers from the United Kingdom (and Gibraltar) before the date that the United Kingdom’s anticipated adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. Organizations that wish to participate in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF.
On July 17, 2023, the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles will enter into effect. Organizations that self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles must comply with the Swiss-U.S. DPF Principles, including by updating their privacy policies by October 17, 2023. Those organizations do not need to make a separate, initial self-certification submission to participate in the Swiss-U.S. DPF; however, they may not begin relying on the Swiss-U.S. DPF to receive personal data transfers from Switzerland until the date of entry into force of the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-U.S. DPF. The updating and renaming of the privacy principles under the Swiss-U.S. DPF would not change such an organization’s re-certification due date. Organizations that self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles, but do not wish to participate in the Swiss-U.S. DPF, must complete in accordance with ITA procedures the withdrawal process referred to in section (f) of the Supplemental Principle on Self-Certification.
On July 17, 2023, the ITA will launch the Data Privacy Framework (DPF) program website (www.dataprivacyframework.gov) to enable U.S.-based organizations to make initial self-certification submissions to participate in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and to enable participating organizations to make their annual re-certification submissions for the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. The DPF program website will also provide a variety of guidance materials and related resources, including the text of the DPF Principles and the accompanying letters from the ITA regarding its administration and supervision of the DPF program. In addition, the ITA will continue to provide timely updates on the status of the UK Extension to the EU-U.S. DPF as a basis for transfers of UK personal data to the United States, as well as the status of the Swiss-U.S. DPF as a basis for transfers of Swiss personal data to the United States.
Please also be aware that the Privacy Shield program website (www.privacyshield.gov) is scheduled to be taken offline on July 14, 2023 at 9:00 pm EST to prepare for the launch of the DPF program website. The DPF program website is scheduled to be brought online by July 17, 2023 at 5:00 am EST. Individuals with active accounts that were used with regard to the Privacy Shield program website will be able to use their existing login credentials for those accounts on the DPF program website. In addition, effective July 17, 2023, e-mail messages to the ITA’s DPF Team should be sent to dpf.program@trade.gov (i.e., the privacyshield@trade.gov e-mail address will no longer be used).
|