Published: December 2022Click To View (PDF)

The EU-U.S. Data Privacy Framework principles represent the practices U.S. organizations must meet when they self-certify commitment to the DPF for personal data received after it goes into full effect. The version incorporated into the draft European Commission adequacy decision, released December 13, 2022, is an update to similar principles included in the predecessor arrangement, the EU-U.S. Privacy Shield Framework.

Like its predecessor, the principles document incorporates “supplemental principles” in addition to data-protection requirements. These include process requirements for the administration of the DPF, such as requirements for self-certification, re-certification, and verification, and guidelines for independent recourse mechanisms. The annex at the end of the document further guides the implementation of the arbitral model for complaints received from EU data subjects about participating businesses.

To aid Privacy Shield businesses in assessing any changes between the Privacy Shield principles and DPF principles, IAPP created a redlined version of the document. To streamline this review, the swapping of terms such as “Privacy Shield” for “DPF” are not highlighted, but all other changes are marked.

The IAPP Resource Center additionally hosts a EU-US Data Privacy Framework – Guidance and Resources page, which stays updated with the latest guidance documents and resources covering the content of these new rules say, how they work and what comes next as the adequacy-review process continues.