How to Comply with the New EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF) became effective on July 10, and on the same day, the European Commission adopted an Adequacy Decision relating to the DPF. As a successor of the EU-US Privacy Shield, the EU-US DPF facilitates the transfer of EU personal data to participating organizations in the United States.

Only those companies subject to the jurisdiction of either the Federal Trade Commission (FTC) or the US Department of Transportation (DOT) are eligible to self-certify their compliance with the DPF. The scope of eligibility is likely to broaden in the future.

THE DPF PROGRAM WEBSITE

On July 17, 2023, the International Trade Administration (ITA) within the US Department of Commerce (DoC) opened the DPF program website. The DPF program website includes instructions, information, and detailed FAQs, including the following:

• To participate in the DPF program, eligible organizations in the United States can elect to self-certify their compliance with the DPF Principles via the DPF program website and must publicly commit to such compliance.
• Once an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under US law. US organizations duly registered under the EU-US Privacy Shield were automatically transferred to the DPF program.
• All registered organizations can be found on the Data Privacy Framework List.
• The DoC states in its General FAQ, the DPF program is not a General Data Protection Regulation (GDPR) compliance mechanism, but rather a means that enables participating organizations to meet the EU requirements for transferring personal data to the United States.

ELIGIBILITY

To qualify for the DPF program, organizations must fall under the authority of either the FTC or the DOT. Those companies not subject to the jurisdiction of either the FTC or DOT—for example, banking, insurance, and telecommunications companies—are unable to participate in the DPF program at this time.

SELF-CERTIFICATION REQUIREMENTS

Organizations may voluntarily certify their compliance with the EU-US DPF or the Swiss-US DPF (once it becomes available—likely this fall) if they choose. However, in order to participate in the UK extension to the EU-US DPF, organizations must participate in the EU-US DPF. These organizations must pledge to adhere to the DPF Principles for data transfers from the European Union, the United Kingdom (including Gibraltar), and Switzerland. Inclusion on the Data Privacy Framework List requires organizations to initially self-certify and then annually recertify to the ITA that they adhere to the DPF Principles.

COMPLIANCE OBLIGATIONS

The EU-US DPF triggers a range of compliance obligations for various organizations. These involve updates to privacy policies, registration processes, and ensuring dispute resolution under the EU-US DPF by data recipients.

US Organizations Already Registered Under the EU-US Privacy Shield

Organizations registered under the EU-US Privacy Shield must ensure their full compliance with the DPF Principles by updating their privacy policies to, among other things, refer instead to their commitment to comply with the “EU-US Data Privacy Framework Principles” and the “Swiss-US Data Privacy Principles,” as applicable. Organizations must include such references within three months of the effective date of the DPF Principles (i.e., by October 10, 2023).

This task should not be taken lightly and changing just the name of the program in the privacy policy will most likely not suffice. For instance, and among other issues, the descriptions of the DPF Principles require modification and companies will have to tailor the DoC’s sample language. Organizations can upload their revised privacy policies through the DPF website program without further intervention of the DoC, as there is no automatic review.

The FTC and other US regulatory bodies are expected to enforce the DPF aggressively to demonstrate to the European Union that it works. As such, organizations should ensure that all changes made to conform their policies to the DPF Principles are accurate and complete to avoid investigations and potential fines. The FTC can, and likely will, investigate compliance with the DPF Principles, as well as false claims of participation in the DPF by organizations that are no longer on the DPF List or never properly certified. In addition, the DPF provides all covered data subjects with additional options to enforce their rights or lodge complaints under the DPF.

US Organizations and Potentially Their Affiliated US Companies Electing to Register Under the EU-US DPF

The registration process (detailed in this Privacy Laws & Business article) is almost the same as under the EU-US Privacy Shield. The DoC offers ample guidance and the DPF program website provides the following:

It is important to note that the [Court of Justice of the European Union’s] Schrems II decision focused solely on government access to data. The CJEU did not question the protections that the EU-US Privacy Shield offered EU individuals in the commercial sphere.

The registration process with the DoC requires a significant number of documents and statements and there is a moderate filing fee. While there is no automatic review of documents uploaded to the DPF program website, an organization will not be included on the EU-US DPF list until the DPF team reviews the relevant filings. A brief guide to the self-certification process, including steps that the organization must take prior to providing its initial self-certification submission include

• confirming the organization’s eligibility to participate in the DPF Program;
• developing a DPF-compliant privacy policy statement conforming to the DPF Principles;
• identifying the organization’s independent dispute resolution mechanism (such as one provided by a private-sector alternative dispute resolution body) for the personal data covered by the self-certification;
• providing accurate information about the location of the organization’s applicable privacy policy;
• making the required contribution for the for the Annex I Binding Arbitration Mechanism to cover the arbitral costs, including arbitrator fees, at the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA)’s website;
• ensuring procedures are in place for verifying that the attestations and assertions that it makes about its DPF privacy practices and that those privacy practices have been implemented as represented and in accordance with the DPF Principles; and
• designating a contact for handling DPF complaints, access requests, or any other issues concerning the DPF.

EU-Based Organizations Sending Personal Data to US Organizations Claiming to Be Registered Under the DPF Program

EU-based organizations sending personal data to US organizations claiming to participate in the DPF Program must verify that the relevant US organization is registered under the DPF Program pursuant to their obligations under the GDPR. Such EU-based organizations should check on a regular basis (for example, every six months) whether US organizations receiving personal data obtained a DPF certification covering all personal data categories that the EU-based organization transfers. EU-based organizations must adjust their own privacy policies to reflect the DPF properly (e.g., Art. 13 (1) (f) GDPR) as well as the relevant entries in the EU organization’s data processing register (Art. 30 GDPR).

FURTHER GDPR COMPLIANCE MAY BE REQUIRED

US organizations subject to the GDPR must comply with it irrespective of their participation in the DPF Program as it instead provides a mechanism for the transfer of EU personal data from the European Union to the United States. In these cases, registering under the DPF Program is just one of many compliance measures. Other GDPR compliance measures include

• data Processing Agreements between controllers and processors or processors and subprocessors;
• joint Controller Agreements between several controllers;
• ·obtaining consent from data subjects; and
• providing necessary disclosures under the GDPR, e.g., data privacy statements.

CONCLUSION

The introduction of the EU-US DPF Program establishes a foundation for a streamlined approach to transfers of personal data from the European Union to the United States. All organizations interested in transferring EU personal data to the United States need to carefully assess their eligibility, adhere to the DPF Principles, and ensure compliance with relevant US laws and the GDPR as applicable.