Back to blog

Follow and Subscribe

Fastly Participates in the EU-US Data Privacy Framework

Owen Kirshner

Legal Director focusing on product, privacy, and IP, Fastly

Fastly is committed to offering the highest levels of privacy and security for our customers and their data. This is why we’re providing more data privacy compliance options by participating in the new EU-US Data Privacy Framework (DPF).

The DPF facilitates cross-border transfers of personal data from the European Union (EU) to the United States (US) in compliance with EU law by providing a new transfer mechanism. This fills a gap left after the predecessor to the DPF, the Privacy Shield, was invalidated in 2020. Anticipating this update, over the last three years, Fastly maintained compliance with the Privacy Shield principles (which form the basis of the DPF) in our handling of personal data. 

Furthermore, our Data Processing Terms (DPT) include a flexible transfer mechanism that contemplates both the DPF as well as other commonly accepted mechanisms such as the Standard Contractual Clauses (SCCs), so Fastly customers can rest assured that they always have a valid transfer mechanism. 

What changed? 

Under the GDPR a valid mechanism of transfer is required for all transfers of personal data from an EU country to a non-EU country. This typically comes in the form of an adequacy decision (a determination from the EU Commission that a non-EU country has legal safeguards for data protection equivalent to those in the EU) or contractual safeguards, specifically the SCCs. This system is effectively mirrored by the UK's version of the GDPR.   

Previously, the Privacy Shield framework was subject to an EU Commission adequacy decision for EU-US transfers by participating companies. Many US companies (including Fastly) relied on this as a valid mechanism of transfer alongside the SCCs. Since the invalidation of the Privacy Shield, companies, including Fastly, have relied primarily on SCCs for US-bound transfers. The SCCs (originally published by the European Commission in 2018) were updated in 2021.

On July 10th, 2023, the European Commission finalized its adequacy decision determining that the DPF provides an adequate level of protection for data transfers from the EU to the US. The new framework, which addressed additional concerns including access to personal data by US intelligence agencies, was put into effect by the US International Trade Association immediately after. Going forward, the DPF can be relied on as a valid mechanism of transfer between the EU and US for participating companies that have self-certified. 

What does this mean for Fastly customers? 

More choices without more work! We’ve self-certified under the EU-US DPF and the supplemental Swiss-US DPF and expect to do the same for the UK extension when that is available in the coming months. Our Data Processing Terms already account for the DPF (and other adequacy decisions), so our customers can rely on this as a valid mechanism of transfer right away regardless of which Fastly products they are using. As always, the SCCs are built into our DPT as an alternative mechanism, so no matter what, we’ve got you covered. 

Keeping you compliant

It’s core to our DNA to champion data privacy and empower our customers. When new data privacy laws roll out, we are committed to keeping you informed and to making needed changes to our products and documentation as seamless as possible — and staying true to our ethos of putting customers first. 

Reach out to sales@fastly.com with any questions — but just to reiterate, no action is needed at this time.