Under the current adequacy decision, the U.S. is recognized as providing a level of protection for personal data equivalent to that of the EU when such data is transferred from companies in the EU to companies in the United States. However, this only applies to those companies that participate in the EU-US data protection framework.
How and when will U.S. companies participate in the new privacy framework?
To be recognized as a secure entity to receive data and comply with the rules of the EU-US data protection framework, a US company must go through a process of self-certification by the US Department of Commerce (DoC). In this procedure, the company must submit various documents. Upon successful submission of these documents, the company will be added to the Data Privacy Framework (DPF) list and will thus be considered self-certified according to the requirements of the new data protection framework.
Although this process may seem complicated at first glance, it is actually said to be quite straightforward. Especially for companies that have already participated in the first Privacy Shield, the transition from the Privacy Shield conditions to the DPF should be relatively easy. These companies should adapt their privacy notices to the newly introduced requirements of the DPF, and do so within three months.
Once a U.S. organization has received certification, it must renew that certification annually. In response, the U.S. Department of Commerce has stated that the procedure for self-certification and annual renewal of certification will remain basically the same so as not to create additional barriers.