Last Updated: October 2023Click To View (PDF)

On 10 July 2023, the EU adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision states the U.S. must ensure an adequate level of protection for personal data transferred from the European Economic Area to U.S. companies participating in the EU-U.S. Data Privacy Framework. The U.K. adopted its own UK-U.S. Data Bridge, which operates as an extension to the EU-U.S. Data Privacy Framework, on 12 October 2023. Switzerland is expected to finalize its own determinations in the coming months.

There are important updates for organizations on both sides of the Atlantic to implement. This chart outlines the key changes and requirements for U.S. organizations participating in the Data Privacy Framework, whether they are transitioning from the Privacy Shield or newly self-certifying, and for EU, UK, and Swiss organizations transferring data to U.S. organizations, including to U.S. organizations not certified to the Data Privacy Framework.

The IAPP additionally hosts an International Data Transfers topic page in the Resource Center, and an EU-US Data Privacy Framework resource that stays updated with the latest guidance documents and resources covering what these new rules say, how they work and what comes next as the framework takes effect.