Guides assessment and use of EU-US Data Privacy Framework for transatlantic data transfers, covering self-certification, DPF principles, DPRC, and EC reviews.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
The European Commission adopted the adequacy decision for the EU-US Data Privacy Framework (DPF) on 10 July 2023, based on Commission Implementing Decision (EU) 2023/1795. This adequacy decision enables transfers of personal data from the EU/EEA to US organisations that have self-certified to the DPF with the US Department of Commerce (DoC), without the need for additional transfer mechanisms s...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
The European Commission adopted the adequacy decision for the EU-US Data Privacy Framework (DPF) on 10 July 2023, based on Commission Implementing Decision (EU) 2023/1795. This adequacy decision enables transfers of personal data from the EU/EEA to US organisations that have self-certified to the DPF with the US Department of Commerce (DoC), without the need for additional transfer mechanisms such as SCCs or BCRs. The DPF replaced the invalidated Privacy Shield framework and was designed to address the concerns raised by the Court of Justice in Schrems II (Case C-311/18) through the introduction of Executive Order 14086 limiting US signals intelligence activities.
The DPF adequacy decision applies only to transfers to US organisations that:
The adequacy decision does not cover transfers to:
| Step | Action | Timeline |
|---|---|---|
| 1 | Review DPF Principles and assess organisational readiness | 2-4 weeks |
| 2 | Develop or update privacy policy to comply with DPF Principles | 2-3 weeks |
| 3 | Select and engage an independent recourse mechanism (IRM) | 1-2 weeks |
| 4 | Designate a contact person responsible for DPF compliance | 1 week |
| 5 | Complete the self-certification application at dataprivacyframework.gov | 1 week |
| 6 | Submit required documentation and privacy policy URL | 1 week |
| 7 | Pay annual certification fee (scaled by revenue) | Upon submission |
| 8 | DoC review and listing on the DPF List | 2-4 weeks after submission |
| 9 | Annual re-certification before expiry date | 12 months after initial certification |
| Organisation Annual Revenue | Fee |
|---|---|
| Up to USD 5 million | USD 0 (fee waived for small organisations) |
| USD 5 million — USD 25 million | USD 575 |
| USD 25 million — USD 500 million | USD 1,150 |
| USD 500 million — USD 5 billion | USD 2,300 |
| Over USD 5 billion | USD 3,450 |
Self-certified organisations must inform individuals about:
Organisations must offer individuals the opportunity to opt out when personal data is:
For sensitive data (health, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sex life, criminal record), affirmative express consent (opt-in) is required before disclosure or use for a new purpose.
Transfers to third-party controllers require:
Transfers to agents (processors) require:
Organisations must take reasonable and appropriate measures to protect personal data from loss, misuse, unauthorised access, disclosure, alteration, and destruction, taking into account the risks involved in processing and the nature of the data.
Personal data must be:
Individuals have the right to:
Access may be restricted only in limited circumstances (e.g., where providing access would violate others' rights, where the burden or expense of providing access is disproportionate, or where disclosure would violate legal obligations).
Organisations must provide:
| Safeguard | Description |
|---|---|
| Necessity standard | US signals intelligence collection must be necessary to advance a validated intelligence priority |
| Proportionality standard | Collection must be proportionate, balancing intelligence need against privacy impact |
| Prohibited purposes | Collection may not be conducted for suppressing dissent, disadvantaging persons based on ethnicity/race/religion, restricting freedom of the press, or gaining commercial competitive advantage |
| Bulk collection limits | Bulk collection permitted only for specific, enumerated objectives (e.g., counter-espionage, counter-terrorism); must be as tailored as feasible |
| Data retention limits | Personal data collected through signals intelligence must be deleted when no longer needed for the validated intelligence purpose |
| Binding nature | EO 14086 creates binding obligations enforceable through the DPRC |
The adequacy decision requires periodic review by the European Commission in cooperation with the EDPB and the European Parliament:
Before relying on the DPF for a transfer, the EU data exporter must verify:
| Check | Method |
|---|---|
| Importer is listed on the DPF List | Search dataprivacyframework.gov |
| Certification is active (not expired or withdrawn) | Check status and expiry date on the DPF List |
| Certification covers the relevant data categories | Review the organisation's DPF scope on the List (HR data, non-HR data, or both) |
| Importer is subject to FTC or DoT jurisdiction | Confirm regulatory jurisdiction in the DPF listing |
| Importer's privacy policy references DPF compliance | Review the published privacy policy at the URL listed |
| IRM identified | Confirm the independent recourse mechanism listed on the DPF entry |
| Data transfer falls within the scope of the adequacy decision | Confirm the transfer is to a self-certified organisation and not to a non-certified entity |