On October 9, 2024, the European Commission published the first periodic review of the functioning of the adequacy decision on the EU-US Data Privacy Framework (DPF). This follows the Commission's request for feedback on the DPF in August 2024.

Certification process

The Commission highlighted that in the first year of operation, 70% of participants in the DPF are small and medium enterprises (SMEs), 47% operate in the ICT sector, and 60% of companies are certified for exclusively non- human resource (HR) data.

The U.S. Department of Commerce (DoC), which is responsible for verifying whether an organization is eligible to join the DPF, noted that 33 applications to join have been rejected so far because they did not meet the DPF requirements. The Commission noted that the DoC explained that where deficiencies are identified, it informs the organization that it must address them and respond to identified failures within a given timeframe. Where the initial certification is not complete/amended within 12 months, the DoC considers the application abandoned.

The Commission noted that it received feedback from organizations indicating that DPF-certified companies have taken steps to ensure compliance with the DPF Principles.

Compliance monitoring

The DoC has not yet detected any issues of compliance with the DPF Principles and has not made any referrals to the Federal Trade Commission (FTC) or U.S. Department of Trade (DoT) for possible enforcement action. However, the DoC clarified that it has only performed ad hoc compliance checks so far and intends to carry out automated compliance checks in the next year.

However, the Commission detailed that the FTC also checks for DPF violations in all its privacy investigations.

Complaint handling

The Commission provided that very few DPF-certified organizations have received complaints from individuals concerning non-compliance with the DPF Principles. This includes complaints made through Independent Recourse Mechanisms (IRMs), such as European Data Protection Authorities (DPAs) who must be selected by DPF organizations that process HR data transferred from the EU.

Guidance

The Commission provided that further guidance and clarification must be developed, in cooperation with the European Data Protection Board (EDPB) on HR data transferred under the DPF and the specific obligations stemming from it. The Commission also outlined the need for greater guidance on:

• the DPF requirements for onward transfers; and
• the practical application of DPF principles in specific sectors such as health research and financial services.

Finally, the Commission also considered legislative developments in the USA, including enforcement actions taken by the FTC. The Commission noted that it aims to facilitate convergence between the FTC and privacy enforcers in Europe on matters relevant to the DPF.

You can access the report page and download the report here.