The EU-U.S. Data Privacy Framework

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). The DPF replaces the EU-U.S. Privacy Shield as a legal mechanism for the transfer of personal data from the EU to organizations in the U.S. participating or certified to the DPF. AWS welcomes the adoption of the adequacy decision for the DPF as a commitment of mutual trust between the U.S. and the EU. The DPF restores legal certainty for transatlantic transfers of personal data under the GDPR and advances strong privacy safeguards. The DPF provides more simplicity and confidence to public and private organizations transferring data from the EU to the U.S.

With the adoption of the adequacy decision, EU organizations are able to transfer personal data to organizations in the U.S. participating in the DPF, without having to put in place additional data protection safeguards.

Yes, AWS has certified to the EU-U.S. Data Privacy Framework (DPF) and adheres to the DPF Principles. You can view the AWS DPF certification here. Please note that to locate the certification, search for “Amazon” in the search bar. AWS is one of the covered entities under the Amazon.com, Inc. certification.

No. The EU-U.S. Privacy Shield is no longer a valid legal mechanism for the transfer of personal data from the EU to the U.S. The EU-U.S. Privacy Shield has been replaced by the EU-U.S. Data Privacy Framework.

In October 2023, the UK issued an adequacy decision on the EU-U.S. Data Privacy Framework (DPF) which established a UK Extension to the DPF. The UK Extension automatically applies to organizations certified under the DPF and means organizations subject to UK GDPR are able to transfer personal data to organizations in the U.S. participating in the DPF, without having to put in place additional data protection safeguards.

A separate Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) has been developed to facilitate transfers of personal data from Switzerland to the U.S. The principles organizations must comply with to be certified under the Swiss-U.S. DPF were released in July 2023, but personal data cannot be transferred in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. The recognition of adequacy will enable the transfer of Swiss personal data to participating organizations consistent with Swiss law.

AWS will not rely on the Swiss-U.S. DPF until it enters into force, but we adhere to its required commitments in anticipation of their doing so.

More details on the obligations for U.S. organizations under the EU-U.S. Data Privacy Framework can be found on the European Commission site and the Data Privacy Framework Program site.

Customers wishing to contact AWS with any inquiries or complaints about our handling of their personal data under the EU-U.S. Data Privacy Framework can contact U.S. at dataprivacyframework@amazon.com.