The new framework is based on a self-certification scheme, where American businesses can be certified to receive personal data from the EEA if they commit to processing data in accordance with the DPF. Self-certified businesses are listed in the official DPF registry (https://www.dataprivacyframework.gov/s/). In practice, this means that personal data can be transferred freely to self-certified American companies in the same way, and under the same legal conditions, as for transfers within the EEA. Certification under the DPF is valid for one year and must be renewed upon expiration.
Many businesses have already been certified, but it is essential to ensure that the certification covers the type of data being transferred. The certification distinguishes between HR data and other data. HR data refers to information about employees, while other data covers all other personal data. The certification list distinguishes the type of data each business is certified to receive. To exemplify the importance of correct certification, we note that recipients of HR data must undertake to cooperate with European data protection authorities in case of any complaints against the company's data processing, while recipients of other data are obliged to make an independent dispute resolution mechanism in the USA available.
Currently, major companies such as Facebook, have yet to certify themselves. The lack of certification from such major companies may be related to NOYB's notified actions as described under section 5. Nevertheless, there is reason to believe that the self-certification access will be used by all major companies in near future, and that the largest companies will be early adopters of the DPF.