On July 10, 2023, the European Commission adopted an adequacy decision for the EU–US Data Privacy Framework (the “DPF”). The DPF is a privacy program that allows participating organizations to freely receive personal data transferred out of the EU without having to rely on the Standard Contractual Clauses or other complicated mechanisms that are otherwise required to protect European data transferred into the US. For this reason, US-based organizations that do business in Europe or otherwise regularly receive European data may wish to consider participating in the DPF to significantly simplify the transfer process.
The DPF arises indirectly from the 2020 European Court of Justice Schrems II decision invalidating the program that had been in place to allow data to be easily transferred into the US from Europe (known as the “Privacy Shield”). The Privacy Shield was invalidated as a transfer mechanism in part because the court decided it did not adequately protect transferred European data. The DPF was created to address some of the concerns raised in that decision, so, while the DPF looks a lot like the old Privacy Shield, there are some differences in what organizations have to do to participate. To take advantage of the simplified transfer process available to DPF participants, organizations must:
- Publicly commit to comply with the privacy principles outlined in the DPF itself;
- Publicly disclose privacy policies and practices that are in line with the privacy principles outlined in the DPF; and
- Fully implement those policies and practices such that the organization’s data handling actually complies with the principles outlined in the DPF.
The Department of Commerce (which oversees the DPF) has created an online process for organizations to use to self-certify their compliance with these requirements. Before signing up, interested organizations should ensure they understand the commitments they will have to make to comply with the DPF’s principles (including the effect those commitments will have on their privacy practices), as well as the consequences they could face for failing to comply. This article is intended to help organizations understand these points and to provide some insight into what they will need to complete the self-certification process.
Why Should My Organization Participate in the DPF?
Before diving into the substance of the DPF itself, it is helpful to briefly touch on why the program is useful for US organizations that work with European data. Under the European General Data Protection Regulation (GDPR), organizations that collect data from EU residents can only transfer that data outside of the EU if they can ensure that the transferred data will enjoy an essentially equivalent level of protection to what is provided by EU law. The EU has issued “adequacy decisions” for some countries that have privacy laws in place that are sufficiently similar to the GDPR, which allows companies to transfer EU personal data to those countries without restrictions.
In order to transfer data to countries that don’t have an adequacy decision from the EU, the GDPR requires transferring organizations to use an alternative legal basis to justify the transfer. The most common alternative is the Standard Contractual Clauses (SCCs), but such contracts impose significant burdens on the organization that is receiving European data. This includes the need to execute a separate contract with every exporter of personal data, and also requirements imposed by the Schrems II decision to conduct further analysis about whether the company needs to implement supplemental measures above and beyond what the organization uses to protect data from non-European sources.
For the past several years, the US has not had a valid adequacy decision from the EU, and so SCCs (with their attendant costs) were the primary option for most companies who sought to transfer personal data from the EU to the US. That changed on July 10, 2023, when the European Commission adopted an adequacy decision around the new DPF. That decision means the European data can now be transferred freely to the US—but only if the receiving organization is participating in the DPF program. Signing up for the DPF could therefore significantly reduce the burden that falls on US organizations that regularly import European data by simplifying the transfer process. For this reason, any organization that regularly works with European data should consider participating if it is able to bring its privacy practices in line with the DPF principles outlined in the next section.
What are the DPF Principles and How Should My Organization Comply?
At the core of the DPF are seven principles that all participating organizations must agree to comply with with respect to data they receive from the European Union. The principles themselves relate to how an organization collects and processes personal data, and they cover almost every aspect of an organization’s data handling practices, including what information an organization should provide to individuals before their data is collected, what the organization should do with data after it’s been collected, and what type of recourse the organization should provide to individuals who believe their data has been mishandled. We have summarized each of the seven core principles below along with some points organizations should consider when trying to bring their privacy practices in line with what the DPF requires.
- Notice: This principle provides that organizations should provide a notice to individuals when their data is collected, informing them about what the organization is going to do with their data and explaining the rights individuals have with respect to their data after it is collected. US state-level privacy laws (like the California Consumer Privacy Act) also require organizations to provide notice to individuals whose data is being collected, so any organization that complies with those laws is likely familiar with this type of requirement.
- There are thirteen pieces of information organizations must include in their notice to comply with the DPF. A few notable examples include (1) the purposes for which data is collected and used, (2) the rights individuals have to limit the use or disclosure of their data (along with details of the process they can use to do so), (3) the government entity or entities that are empowered to investigate the organization for any misuse of data, and (4) a statement that the organization has committed to complying with the DPF principles as they pertain to any European data.
- Choice: The choice principle requires organizations to offer individuals the opportunity to choose whether their data will be (1) disclosed to any third parties, or (2) used for any purpose that is different from the purpose(s) for which it was originally collected. This functionally requires participating organizations to allow individuals to opt out of having their data used in these ways. The term “disclosed” is not defined in the DPF itself, but it is likely broad enough to encompass both selling data and sharing it for targeted advertising purposes, so organizations should ensure they are equipped to receive and process these types of opt out requests before signing up for the program.
- Accountability for Onward Transfer: Participating organizations must commit to only transferring data onward to third parties if adequate protections are in place to ensure that the transferred data is protected to the same extent that it would have been without the onward transfer. This requires entering into a contract with the third party (often referred to as a “Data Processing Agreement”) that limits what the third party is allowed to do with the data and implements safeguards to protect the data after the transfer.
- Security: This principle requires organizations to implement internal security measures around data to protect it from loss, misuse, unauthorized access, disclosure, alteration, and destruction while it is under the organization’s control. The DPF does not specify what these security measures should look like, so any “reasonable and appropriate” protections should qualify.
- Data Integrity and Purpose Limitation: This principle contains two distinct requirements.
- First, organizations must commit to limit their collection/use of data to only what is reasonably necessary to accomplish the purposes that were disclosed to individuals when their data was collected. This means organizations should not collect more personal data than they need to accomplish their goals, nor should they use previously collected data to accomplish purposes that are materially different from the purpose(s) disclosed to individuals.
- Second, organizations should generally only retain data for as long as it is being used to accomplish the purpose(s) for which it was collected. There are some exceptions to this rule that allow organizations to retain data for longer periods when the data is being used for certain activities (such as journalism, scientific or historical research, or statistical analysis), but in general organizations should delete data once it is no longer needed.
- Access: Like the Choice principle, the Access principle functionally requires organizations to give individuals the right to make certain requests concerning their data. Organizations must commit to allowing individuals to access the data an organization has collected about them, and to correct or delete that information where it is inaccurate or where the organization has processed the data in violation of the other principles. Many US state-level consumer privacy laws require organizations to offer individuals similar rights, often referred to as the Right to Know, the Right to Correct, and the Right to Delete. Organizations should ensure they are equipped to receive and process requests to exercise these rights before signing up for the DPF.
- Recourse, Enforcement, and Liability: To comply with this principle, organizations must commit to implementing mechanisms for (1) ensuring the organization’s compliance with the rest of the principles, (2) providing recourse for individuals who are affected by the organization’s non-compliance, and (3) imposing consequences on the organization if it doesn’t comply. There are two distinct requirements contained in this principle:
- First, organizations must provide individuals with mechanisms they can use to submit complaints when they believe their data has been mishandled. Notably, the DPF requires organizations to provide both an internal mechanism for submitting complaints and a mechanism that is independent from the organization itself. For the latter mechanism, organizations must agree to allow some external entity to hear complaints and decide whether the organization violated any of the DPF’s principles. The DPF gives organizations leeway to select an outside entity of their choice (provided it meets certain requirements), or they may choose to allow European Data Protection Authorities to handle disputes. No matter which option an organization chooses, it must commit to cooperate with the external entity in its investigation of the complaint and, in the event that the external entity determines the organization failed to comply with any of the DPF’s principles, it must commit to taking corrective action to remedy the violation.
- Second, organizations must implement procedures for periodically assessing their privacy practices to verify that they remain in compliance with the DPF principles. This verification requirement can be satisfied either through self-assessments conducted by the organization itself, or by external compliance reviews (e.g. audits) conducted by outside entities. In either case, an organization must commit to completing and documenting this verification on at least an annual basis after they join the DPF.
Before signing up for the DPF, organizations should carefully evaluate their data handling practices to ensure they are in line with all of the above principles. The DPF provides that most organizations that participate in the program must be under the jurisdiction of the FTC and that any violations of the DPF principles constitute unfair or deceptive trade practices under Section 5 of the FTC Act. An organization charged with violating Section 5 could face penalties of up to $50,120 per violation as well as significant injunctive remedies, so the consequences for failing to comply with the DPF principles can be severe.
How Can My Organization Sign Up for the DPF?
Once you’ve evaluated your organization’s data handling practices and made sure that it will be able to comply with the DPF’s substantive requirements, the next step is to actually sign up for the program. The process itself is relatively simple. All you need to do is submit a self-certification statement to the Department of Commerce that shows your organization is capable of and committed to complying with the DPF principles. Any corporate officer (or other individual authorized to act on behalf of your organization) can complete the self-certification through the Department’s online portal. The Department requires organizations to submit the following information to be certified:
- The name of the organization;
- A description of the activities the organization engages in that involve receiving data from the European Union;
- Contact information for the individual(s) or department(s) within the organization that will be responsible for handling complaints and access requests from individuals;
- The name of the “specific statutory body” that has jurisdiction to hear claims against the organization in the event it violates the DPF principles or US privacy laws;1
- The name(s) of any other privacy programs the organization participates in;
- The method the organization will use to verify its compliance with the DPF principles; and
- The independent recourse mechanism that is available to investigate complaints from individuals about the organization’s data handling practices.2
Once an organization submits this information (and a fee that scales based on annual revenue), the Department will review the application and, if everything is in order, place the organization on the public Data Privacy Framework List, which includes all organizations participating in the DPF. The review process could take a few months, but the DPF benefits are available as soon as an organization is added to the list, so it can take advantage of the simplified transfer process immediately after that. Signing up is even easier for organizations who are currently participating in the Privacy Shield program. These organizations will automatically be added to the DPF list as long as (1) their Privacy Shield certification is current, and (2) they update their public privacy policies to refer to the “EU–U.S. Data Privacy Framework Principles” (rather the “Privacy Shield Framework Principles”) by October 17, 2023.
To maintain its DPF certification after an organization receives one, it must renew that certification on an annual basis by (1) re-submitting an updated self-certification statement to the Department (with an accompanying fee), and (2) completing and documenting an assessment of the organization’s privacy practices to verify that it remains in compliance with all of the DPF principles. As noted in the Recourse, Enforcement, and Liability section above, organizations can satisfy the verification requirement either internally through a self-assessment, or through an external compliance review conducted by an auditor or other outside body. Organizations that fail to renew their certifications will be removed from the DPF list and they will not be able to take advantage of the simplified transfer process available to DPF participants. Organizations should formally withdraw from the program if they no longer wish to participate.
The final question on this subject is whether the DPF will survive legal challenges, unlike the Privacy Shield program that preceded it. While it is difficult to say at this point, the DPF does address many of the Privacy Shield’s shortcomings, which certainly improves its chances. And as a practical matter, any such challenges will likely take years to be decided, and so organizations may find it worthwhile to participate now even if they’re unsure of the program’s long-term viability.
On the whole, the EU–US Data Privacy Framework presents a great opportunity for organizations that regularly import European data into the US to significantly reduce the burdens around such transfers. However, the penalties for failing to comply with the DPF principles after an organization joins the program can be severe, so organizations should take care to assess their data handling practices and ensure they are able and willing to comply with all of the DPF’s requirements before signing up.
Sixfifty is here to help organizations draft compliant privacy documentation in preparation to sign up for the DPF. As such, we will be updating our suite of privacy tools in the coming weeks to account for the DPF’s requirements.
1As noted about, for most organizations, this will be the Federal Trade Commission (FTC), which has broad authority to investigate unfair trade practices and privacy violations in most sectors of the economy. If you believe your organization is not subject to the FTC’s jurisdiction, or if you aren’t sure which body has authority over your organization, consider consulting legal counsel.
2See the Recourse, Enforcement, and Liability section above for details on the verification and recourse mechanisms referenced in points 7 and 8.