At Box, our mission is to power how the world works together, and we care deeply about protecting the privacy rights of our customers and their end-users. That’s why we remain committed to providing a cloud-based content management platform and product portfolio that not only meets but surpasses industry standards. Following the Court of Justice of the European Union (“CJEU”) July 2020 decision to invalidate the adequacy of Privacy Shield in the "Schrems II" case, we shared a blog post highlighting Box’s continued efforts to protect our customers' personal data. In that update, we shared that while the CJEU invalidated Privacy Shield as a data transfer mechanism, we remained committed to adhering to the Privacy Shield principles. As part of our commitment, we maintained our certification under the EU-U.S. and Swiss-U.S. Privacy Shield framework (the “Privacy Shield Framework”) as reviewed and overseen by the U.S. Department of Commerce.
On 11 July 2023, we welcomed the European Commission’s adequacy decision of the EU-U.S. Data Privacy Framework(“DPF”).The DPF enables eligible U.S. companies to facilitate cross-border transfers of personal data in compliance with EU law. Companies, like Box, who continued to participate under the Privacy Shield Framework will need to certify to the EU-U.S. DPF.
We are thrilled to announce that Box will certify to the EU-U.S. DPF. We deeply appreciate the collective efforts of the European Commission and the efforts of the President of the United States and his Administration for protecting the continuous free-flow of data between jurisdictions. The EU-U.S. DPF paves a solid foundation for companies on both sides of the Atlantic to operate in a regulatory environment that encourages innovation and fosters collaboration while upholding robust technological and organizational safeguards to protect the rights and freedoms of data subjects.
Implementing the E.U.-U.S. Data Privacy Framework at Box
As part of our continued commitment to providing our customers with multiple means to lawfully transfer data, Box will certify to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) by the 10 October 2023 deadline, as required by the U.S. Department of Commerce. Box will also certify to a similar DPF that will be adopted by the UK, known as the UK Extension to the EU-U.S DPF, and Switzerland, known as the Swiss-U.S. DPF. Once the certifications are complete, the DPF will be one of the data transfer mechanisms utilized by Box for transfers of customer personal data. There is no action required for our customers. Box will continue to maintain its Standard Contractual Clauses (SCCs) along with its related Processor and Controller Binding Corporate Rules (BCRs). To learn more about the data transfer mechanisms Box has implemented, please visit Box’s GDPR website and Regional Information Page.
As the regulatory landscape evolves, we'll be monitoring the situation and will take proactive steps to ensure that we continue to offer best-in-class data protection and security. Should you have any questions, please contact [email protected].