Upwork removed detailed language about its compliance with the U.S. Data Privacy Framework (a legal mechanism for transferring personal data from Europe and Switzerland to the U.S.) but kept a single sentence stating you can request copies of data transfer documents. This means the policy no longer explicitly commits to Data Privacy Framework protections or acknowledges regulatory oversight, which may create uncertainty about how your data is legally protected if you are in the EU, UK, or Switzerland.
Upwork's privacy policy previously disclosed that it complied with the U.S. Data Privacy Framework and certified adherence to its Principles regarding how it processes personal data from EU, UK, and Swiss residents. The updated policy removes nearly all of this language, including the explicit commitment to Data Privacy Framework Principles and the statement that those Principles would govern in case of conflict with other policy terms. Users in the EU, UK, and Switzerland no longer have a clear, policy-level statement of the legal framework protecting their data when transferred to the U.S., which may reduce transparency about data protection safeguards. You may contact Upwork to request copies of the data transfer mechanism documents it uses.
The removal of explicit Data Privacy Framework compliance language eliminates a key transparency disclosure about how Upwork protects personal data transferred from the EU, UK, and Switzerland to the U.S. Under GDPR and UK GDPR, data transfers to non-adequate third countries require documented safeguards, and privacy policies are expected to inform users of the mechanisms used; the removal of this disclosure creates uncertainty about what legal basis now protects those transfers.
→ If you are in the EU, UK, or Switzerland, review Upwork's updated privacy policy to understand what data protection framework now applies to your personal data.
→ Contact Upwork directly to request copies of the data transfer mechanism documents it uses, as specified in the updated policy.
→ You may not know what legal safeguards protect your personal data when transferred from the EU, UK, or Switzerland to the U.S.
→ If disputes arise over data protection, you lose the policy-level assurance that Data Privacy Framework Principles govern the handling of your data.
Across all monitored documents, Upwork has made 2 significant changes.
2 of Upwork's significant changes have been classified as negative for consumers.
Removed language establishing that DPF Principles govern processing of EU, UK, and Swiss personal data and take precedence over other policy terms.
Removed detailed statements of Upwork's certification under EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF, including references to certification verification.
Removed language addressing Upwork's responsibilities when transferring DPF-received data to third-party service providers.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Organizations that rely on Upwork to process EU, UK, or Swiss data no longer have a policy-level statement that DPF Principles govern that processing.
Upwork removed substantive Data Privacy Framework compliance disclosures from its privacy policy on May 1, 2026 (effective April 30, 2026), including its certification statement and conflict-of-law language favoring DPF Principles. The change eliminates transparency about compliance with the primary U.S. legal mechanism for transferring personal data from the EU, UK, and Switzerland. This affects organizations that rely on Upwork to process data on their behalf and may trigger GDPR or UK GDPR data controller obligations to audit and document data transfer mechanisms. Removal of DPF language without replacement of equivalent safeguards may create regulatory compliance questions under GDPR Articles 44-50 (international data transfers) and UK GDPR equivalents.
GDPR (Articles 44-50, Chapter V on transfers); UK GDPR (Chapter 5); Swiss Federal Data Protection Act; U.S. Commerce Department Data Privacy Framework regulations
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001513.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherUpwork removed detailed language about its compliance with the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework, which previously …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.