Skip to Content
Skip to Footer

How the EU-US Data Privacy Framework Benefits Salesforce Customer Data Transfers

July 18, 2023

As of July 17, 2023, Salesforce is a certified organization under the EU-US DPF, and will continue to meet and exceed the requirements of the new framework. Additional details about Salesforce’s participation can be found in the company’s Notice of Certification.


Editor’s note: This article was updated on July 11, 2023 to reflect the European Commission’s adequacy decision. 

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (EU-US DPF). This validated President Joe Biden’s October 2022 Executive Order, which implemented critical data privacy protections for transferring personal data from the EU to the United States. Together with the equivalent U.S. decision, the EU’s adequacy decision is effective as of July 10, 2023. 

Why it’s important: EU-to-US data flows facilitate $7.3 trillion in economic relationships. The adequacy decision formally replaces the EU-DS DPF predecessor, the EU-US Privacy Shield Framework, and concludes that the U.S. ensures an adequate level of protection for personal data transferred from the EU, Iceland, Liechtenstein, and Norway to U.S. companies participating in the framework.

The Salesforce perspective: Salesforce welcomes the European Commission’s adoption of the EU-U.S. DPF and its new privacy protections for individuals. 

  • “The European Commission’s decision increases privacy protections for individuals worldwide and strengthens trust and certainty in the continued validity of all EU cross-border data transfers,” said Ed Britan, Head of Global Privacy, Salesforce. “With the EU-US Data Privacy Framework, the EU and the U.S. have demonstrated shared values in jointly setting a heightened privacy and data protection standard that global frameworks should now meet.”

With the EU-US Data Privacy Framework, the EU and the U.S. have demonstrated shared values in jointly setting a heightened privacy and data protection standard that global frameworks should now meet.

Ed Britan, Head of Global Privacy, Salesforce

Zoom in: Salesforce will seek to be among the first organizations to obtain certification under the EU-US DPF, and will continue to meet and exceed the requirements of the new framework.

Salesforce currently uses multiple mechanisms to provide customers with cross-border transfer security and greater customer protection:

  • Binding Corporate Rules (BCRs) Salesforce was the first enterprise software company to achieve approval for processor BCRs from European data protection authorities. BCRs reflect the highest data protection standards in the world and remain the gold standard for cross-border data transfers. 
  • Standard Contractual Clauses (SCCs) – In 2021, Salesforce released a data processing addendum (DPA) that includes the newest version of the standard contractual clauses and best-in-industry commitments around challenging government access requests and providing for customer audits. 

These efforts reflect Salesforce’s commitment to providing customers with the strongest protections available for addressing cross-border transfer requirements and increased ability to control their data. 

In addition:

  • Salesforce’s Hyperforce EU Operating Zone provides an enhanced level of data residency commitment that gives customers the choice and control they need to keep their data within Europe. 
  • For customers wishing to maintain direct control of their encryption key management, Salesforce has announced an External Encryption Key Management collaboration with a number of forward-looking and trusted technology partners including AWS, Atos, Entrust, HashiCorp, Thales, and T-Systems. 

Additional details: The U.S. government recently fulfilled its commitments under Executive Order 14086, addressing key issues raised in the Schrems II decision related to the U.S. In particular: 

  • The Office of the Director of National Intelligence, in coordination with elements of the U.S. Intelligence Community, released updated policies and procedures to implement the privacy and civil liberties safeguards specified in the Executive Order. 
  • The U.S. Attorney General created the Data Protection Review Court, a two-layer mechanism for individuals to obtain independent and binding review and redress for violations of U.S. legal protections. He also designated EU Member States, as well as Iceland, Liechtenstein, and Norway as “Qualifying States” for purposes of implementing the redress mechanism established under the Executive Order.

Go deeper: Learn more about EU/U.S. cross-border data transfer mechanisms with Salesforce’s: 

For more on Salesforce and privacy, go here.


Editor’s note: This article was originally published on October 11, 2022.

How the New Executive Order Implementing the EU-US Data Privacy Framework Benefits Salesforce Customer Data Transfers

President Joe Biden has signed an Executive Order on the trans-Atlantic transfer of personal data to implement critical data privacy protections for individuals worldwide and provide companies with a new framework for transferring EU personal data to the US.  

Why it’s important: EU-to-US data flows facilitate $7.3 trillion in economic relationships. The Executive Order implements a new EU-US Data Privacy Framework to replace the EU-US Privacy Shield Framework.  

Driving the news: President Biden’s Executive Order outlines steps the US will take to implement the EU-US Data Privacy Framework that was announced in March 2022 by President Biden and European Commission President von der Leyen.

The Executive Order addresses key issues raised in the Schrems II decision related to U.S. surveillance authorities by:

  • Restricting surveillance to activities necessary to achieve defined national security objectives.
  • Requiring consideration of privacy and civil liberties of all persons, regardless of nationality or country of residence.
  • Creating a multi-layered mechanism for individuals to obtain independent and binding review and redress for violations of U.S. legal protections, including those guaranteed by the Executive Order.  

The Salesforce perspective: “We welcome the Executive Order on trans-Atlantic data transfers. It will increase privacy protections for individuals worldwide and strengthen trust in the continued validity of all EU cross-border data transfer mechanisms,” said Ed Britan, Head of Global Privacy, Salesforce. “With the EU-US  Data Privacy Framework, the EU and the U.S. have demonstrated shared values in jointly setting a heightened privacy and data protection standard that global frameworks should now meet.”

The big picture: The Court of Justice of the European Union’s 2020 Schrems II decision invalidated the Privacy Shield Framework, causing uncertainty for many businesses about the legal threshold for transferring EU data across borders. 

Salesforce uses multiple mechanisms to provide customers with cross-border transfer security:

  • Binding Corporate Rules (BCRs) – Salesforce was the first enterprise software company to achieve approval for BCRs from European data protection authorities. BCRs reflect the highest data protection standards in the world and remain the gold standard for cross-border data transfer. 
  • Standard Contractual Clauses (SCCs) – In 2021, Salesforce released a data processing addendum (DPA), which includes the newest version of the standard contractual clauses and best-in-industry commitments around challenging government access requests and providing for customer audits. 
  • EU-US Data privacy Framework / Privacy Shield – Salesforce has remained certified under Privacy Shield and understands that the same commercial requirements and certification scheme will be used for the EU-US Data Privacy Framework. Salesforce will continue to meet and exceed the requirements of the EU-US Data Privacy Framework. 

These efforts reflect Salesforce’s commitment to providing customers with the strongest protections available for addressing cross-border transfer requirements. In addition:

  • In 2021, Salesforce announced the Hyperforce EU Operating Zone, allowing customers expanded data residency services for storing and processing data in the EU.

At Dreamforce ‘22, Salesforce announced external encryption key management, enabling customers to use EU encryption partners, based in the EU, for controlling access to their data.

Go deeper: Learn more about EU/U.S. cross-border data transfer mechanisms: 

For more on Salesforce and privacy, go here.

Astro

Get the latest Salesforce News