On July 10, 2023, the European Commission announced the adoption of its adequacy decision under the EU-U.S. Data Privacy Framework (DPF).
U.S. companies can now self-certify their participation in the DPF, facilitating data transfers from Europe to the U.S. in compliance with the GDPR.
Organizations that previously maintained their certification under the former Privacy Shield system do not have to re-certify but will need to take steps to update their compliance with the DPF. By October 10, 2023, they must revise their privacy policies by replacing all references to the “EU-U.S. Privacy Shield” with “EU-U.S. Data Privacy Framework”.
Further, U.S. companies must, as under privacy shield, undergo an annual assessment of their compliance with the framework’s principles. This can be done either by self-assessment or a third party.