On July 10, 2023, the European Commission announced that it adopted an adequacy decision under the EU-U.S. Data Privacy Framework (DPF) — but, uh, what on earth does this even mean? Is this Privacy Shield 2.0? And how does it affect your business?
Well, this announcement is actually good news, as the long-awaited DPF decision means you can make legal data transfers from the EU to the U.S., as long as your business self-certifies with the data protection measures outlined by the program. Which includes fully complying with the General Data Protection Regulation (GDPR).
But some uncertainty still exists regarding the long-term future and sustainability of the EU-U.S. DPF Program.
In this guide, I’ll teach you everything you need to know about the DPF Program, walk you through the compliance process, and explain the interesting history of international data transfers between the U.S. and the European Union (EU).
- What Is the Data Privacy Framework (DPF) Program?
- Who Does the Data Privacy Framework Program Affect?
- What Do Businesses Need To Know About the DPF?
- What Are the Key Requirements of the Data Privacy Framework?
- Who Enforces the Data Privacy Framework Program?
- A Brief History of the EU-U.S. Data Privacy Framework
- How Termly Helps With Data Privacy Compliance
- Summary
What Is the Data Privacy Framework (DPF) Program?
The Data Privacy Framework (DPF) program is subject to adequacy decision developed to facilitate transatlantic commerce and provide a reliable mechanism for the transfer of personal data from the European Union (EU), the European Economic Area (EEA), the United Kingdom (U.K.), Gibraltar, and Switzerland to the United States.
An adequacy decision must be in place to transfer personal data from users in these regions to a third country.
The framework ensures that U.S. data processors adequately comply with EU, U.K., and Switzerland data protection laws like the GDPR, the U.K. GDPR, and the Federal Data Protection Act (FDPA).
Thus, the DPF program technically consists of the following three key frameworks to account for each location:
- The EU-U.S. Data Privacy Framework (EU-U.S. DPF)
- The U.K. Extension to the EU-U.S. Data Privacy Framework (U.K. Extension to the EU-U.S. DPF)
- The Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)
What Is an Adequacy Decision?
An adequacy decision is a formal process by the European Commission denoting that a third country or international organization can adequately protect personal information from individuals in the EU, EEA, U.K., and Switzerland.
The GDPR — the data protection law that protects individuals in the EU and EEA and shaped the U.K. GDPR and the Swiss FDPA — requires an adequacy decision for international transfers to take place without requiring further approval from a governing authority.
Who Does the Data Privacy Framework Program Affect?
The DPF program affects entities in the United States who want to transfer personal data from individuals in the EU, EEA, U.K., Gibraltar, and Switzerland to U.S.-based servers.
In this next section, I’ll briefly cover a few more details about who, precisely, is impacted by each of the three privacy frameworks created by this program and list their effective dates.
EU-U.S. DPF
The EU-U.S. Data Privacy Framework applies to transferring personal data from individuals in the EU and EEA to participating organizations in the United States who have consistent data processing practices with EU law — in this case, the GDPR.
The EU-U.S. DPF Principles went into effect on July 10, 2023.
U.K. Extension to the EU-U.S. DPF
The U.K. Extension to the EU-U.S. Data Privacy Framework pertains to U.S. entities seeking to transfer the personal data of individuals from the U.K. or Gibraltar to servers located in the United States. It enables those U.S. organizations to self-certify compliance under the DPF.
But U.S. entities that rely on this extension must wait until after adequacy regulations implementing the data bridge enter into force before legally transferring data overseas.
The U.K. Extension to the EU-U.S. DPF entered into force on July 17, 2023, but a date regarding the data bridge has yet to be announced. A decision is expected in the coming months.
Swiss-U.S. DPF
The Swiss-U.S. Data Privacy Framework applies to U.S. entities that want to transfer the personal information of individuals in Switzerland to U.S.-based servers.
However, like the U.K. extension, personal data transfer from Switzerland, relying on the Swiss-U.S. DPF, is only allowed after Switzerland recognizes the adequacy of the Framework.
The Swiss-U.S. DPF Principles went into effect on July 17, 2023, and an adequacy decision recognizing the Framework is expected before the end of 2023.
US businesses operating in the EU market will reap great benefits from the Data Privacy Framework. The DPF will allow US businesses to access and handle EU data without having to carry out transfer impact assessments, incorporating SCCs, or taking any additional steps. – Ali Talip Pınarbaşı, CIPP/E, & LLM
What Do Businesses Need To Know About the DPF?
There are several essential considerations businesses must keep in mind under this new Data Privacy Framework Program, including:
- EU-U.S. DPF Program and Participation: Under the DPF Program, U.S. organizations can choose to self-certify their compliance with specific frameworks. But it’s important to note that participation in the U.K. Extension to the EU-U.S. DPF specifically requires prior participation in the EU-U.S. DPF.
- Compliance Under the EU-U.S. DFP Program: Organizations that previously self-certified compliance with the EU-U.S. Privacy Shield or the Swiss-U.S. Privacy Shield must now comply with the relevant DPF Principles to continue enjoying the benefits of the respective frameworks.
- Data Privacy Framework List: To rely on the DPF Principles for data frameworks, organizations must be on the Data Privacy Framework List. The International Trade Administration (ITA) updates this list based on annual re-certification submissions and may remove non-compliant organizations.
- Resources For the EU-U.S. DPF Framework: The ITA provides resources and FAQs to assist organizations interested in self-certifying their compliance with the DPF frameworks.
“Businesses must include in their privacy policy a public declaration of their commitment to comply with the Principles of the Data Privacy Framework and inform the individuals about their rights granted by the Framework. It is also important for businesses to only process the personal data that is relevant for the purpose of processing and comply with the data retention provisions.” – Teodor Stanciu, CIPP/E, CIPM
What Are the Key Requirements of the Data Privacy Framework?
To self-certify compliance with the EU-U.S. DPF Program, you must meet specific requirements, so let’s go over those together.
Informing Individuals About Data Processing
Under the EU-U.S. DPF Program, you must inform individuals about your data processing activities through a comprehensive privacy policy.
Your privacy policy must declare your organization’s commitment to complying with the DPF Principles and is enforceable under U.S. law.
You must also include links to the DPF program website and independent recourse mechanisms for individuals to submit complaints for investigation.
Additionally, the contents of your privacy policy must inform individual users of their data access rights, disclosure requirements to public authorities, enforcement jurisdiction, and onward data transfer liability.
Providing Free and Accessible Dispute Resolution
You must provide free dispute resolutions and respond to individual user complaints within 45 days to self-certify with the EU-U.S. DPF Program.
You must provide an independent recourse mechanism to resolve complaints and disputes at no cost.
The ITA facilitates the resolution process regarding submitted complaints to Data Protection Authorities within a 90-day timeframe.
You must also make binding arbitration available if complaints aren’t resolved through other mechanisms.
Cooperating With the U.S. Department of Commerce
Another requirement under the EU-U.S. DPF program includes cooperating with the U.S. Department of Commerce regarding inquiries or requests sent to the ITA.
Specifically, you must respond promptly to all requests related to the DPF program.
Maintaining Data Integrity and Purpose Limitation
Per the EU-U.S. DPF Program, you must limit your collection of personal information to only what is relevant to the purposes you described for processing the data.
Under the GDPR, this is also known as your legal basis.
Additionally, you also need to comply with all GDPR data retention provisions. This requirement means you can only retain the data for as long as it takes to achieve the purposes you described for processing the information.
Ensuring Accountability for Data Transferred to Third Parties
To transfer data to a third-party controller, organizations must comply with what’s referred to as the Notice and Choice Principles and enter into a contract ensuring limited and specified purposes and protection levels.
“Notice and Choice Principles” essentially means providing individuals with a notice of what personal information you’re collecting and providing them with a choice over how that information gets processed or used.
Organizations must ensure limited purposes and privacy protection to transfer data to a third-party agent and take measures for proper processing.
Transparency Related to Enforcement Actions
Another key requirement under the EU-U.S. Data Privacy Framework Program involves transparency regarding compliance reports.
Organizations must make relevant DPF-related sections of their compliance reports public if subject to Federal Trade Commission (FTC) or court orders based on non-compliance under the data protection regulations.
Ensuring Commitments Are Kept as Long as Data Is Held
Entities are subject to certain privacy commitments if they leave the DPF Program but want to retain the personal data collected.
Notably, after exiting, organizations must annually affirm their commitment to applying all DPF principles to the retained data or provide adequate protection through other authorized means.
Who Enforces the Data Privacy Framework Program?
Part of the U.S. Department of Commerce, the International Trade Administration or ITA administers the DPF program.
Eligible U.S.-based organizations can self-certify their compliance with the EU-U.S. DPF, the U.K. Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF through the ITA’s Data Privacy Framework (DPF) program website.
Once an organization self-certifies its compliance, it must adhere to the DPF Principles, which are enforceable under U.S. law.
A Brief History of the EU-U.S. Data Privacy Framework
As promised, I’m about to cover the history of personal data transfers between the U.S. and Europe to help you understand how we got to the EU-U.S. Data Privacy Framework Program — and shed some light on why people are already discussing a possible Schrems III case.
The Safe Harbor Framework and Schrems I
In 2000, the Safe Harbor Framework dictated international data transfers between the U.S. and Europe. This agreement was in place for over a decade and allowed for data to cross between borders without relying on Standard Contractual Clauses or SCCs.
It outlined seven key principles, which include:
- Notice
- Choice
- Onward transfer
- Security
- Data integrity
- Access
- Enforcement
But on October 6, 2015, the Court of Justice of the European Union (CJEU) issued a judgment invalidating the Safe Harbor Agreement.
Their reasoning?
Max Schrems, an Austrian privacy activist and lawyer who was a law student at the time, filed a complaint to the Irish Data Commissioner stating that Facebook Ireland illegally shared his personal information with the U.S. government.
Known as Schrems I, this case came after the Edward Snowden revelations exposed the National Security Agency’s (NSA) surveillance program.
Because the GDPR only allows access to personal data when it’s strictly necessary, and U.S. laws allow for government agencies to have broader access to that information, the CJEU overturned the Safe Harbor Program.
The EU-U.S. Privacy Shield and Schrems II
On July 12, 2016, the European Commission replaced the Safe Harbor Framework with the EU-U.S. Privacy Shield.
Designed in collaboration between the U.S. Department of Commerce and the European Commission, the EU-U.S. Privacy Shield was overturned by the CJEU on July 16, 2020, citing that U.S. laws didn’t protect personal data from the EU following the GDPR.
Again, this resulted from a case between Schrems and Facebook Ireland, known as Schrems II.
Schrems updated his original complaint, claiming Facebook continued to transfer his personal data to the U.S. illegally.
However, this case did uphold the use of Standard Contractual Clauses or SCCs to provide adequate levels of protection.
It took three years of debate, drafting, and redrafting for the European Commission and the U.S. government to agree to the current EU-U.S. Data Privacy Framework Program.
The Future of the DPF Program
So what does the future of the Data Privacy Framework Program look like?
At this point, things seem up in the air.
The recently introduced EU-US Data Privacy Framework (DPF) holds significant promise for safeguarding the data of European consumers as it enables the transfer of personal information from the European Economic Area (EEA) to the United States.
However, potential challenges are on the horizon, making it vital for businesses to stay informed and cautious about transferring personal data.
A Possible Schrems III On the Horizon?
In my opinion, the DPF is a welcome development, aiming to balance protecting privacy rights and facilitating necessary data transfers. Although experts deem the new redress mechanism robust, it is worth mentioning that Max Schrems (and his group NOYB) intend to challenge the framework legally.
As privacy-conscious consumers, we must understand that the DPF will be subject to yearly reviews. Periodic evaluations showcase the unwavering dedication of the authorities in proactively addressing potential threats to consumer privacy.
So, what does this mean?
Simply put, to protect our data effectively, we should consider supplementing our data transfers to the U.S. with extra measures. While the framework grants adequacy decisions a pass without additional safeguards, it’s critical to be cautious when dealing with transfers not included in the official “Data Privacy Framework List.”
For such cases, using supplementary measures, such as standard data protection clauses or binding corporate rules, can provide an extra layer of security.
One reassuring aspect is that all safeguards implemented by the U.S. Government in the realm of national security, including the redress mechanism, apply to all data transfers to the U.S.
If a consumer believes their privacy rights have been violated, they have the option to file a complaint with the national data protection authority and take advantage of the recently introduced redress mechanism.
Moreover, the possibility of state-level collaboration within the U.S., particularly with California’s privacy frameworks, opens up avenues for even more robust data protection measures. These measures show that authorities are actively exploring ways to enhance privacy for consumers, but it also highlights the complex nature of cross-border data protection.
In conclusion, the EU-US Data Privacy Framework is a significant step forward in protecting personal data during cross-border transfers.
As individuals, we can adapt our privacy practices by staying informed about legal challenges and yearly reviews.
Supplementing data transfers with extra safeguards, especially for those not covered by the framework, is a smart move to safeguard your business.
Remember, your privacy is in your hands!
The Data Privacy Framework has brought long awaited clarity for businesses on both sides of the Atlantic, and greatly simplifies the procedures needed for EU-US Transfers. However, this is unlikely to be the last twist in the tale, and the prospect of further legal challenges are on the horizon. Considering the similarities of the Framework to the previous ‘Privacy Shield’, it is key that the new monitoring and enforcement mechanisms established in the Framework are demonstrated to be effective to ensure its long-term viability. – James Ó Nuanáin, CIPP/E, CIPM, CIPT
How Termly Helps With Data Privacy Compliance
If you need to comply with laws like the GDPR, Termly is your one-stop shop.
Backed by our legal team and data privacy experts, we’ve got everything you need, from a legally compliant Privacy Policy Generator to a customizable Consent Management Platform (CMP) that you can configure to meet opt-in and opt-out consent requirements.
We also provide additional necessary website and legal policies to help businesses of all kinds streamline customer services and better protect themselves and their consumers online, like our Terms and Conditions Generator and Return and Refund Policy Generator.
The best part?
We offer free and paid options. Termly Pro+ users get access to everything we offer. Yes, everything — including new and up-and-coming resources currently in development.
Summary
You’ve now caught up on all we know about the EU-U.S. Data Privacy Framework programs, its implications, and how it impacts businesses and consumers around the globe.
The conversation around international data transfers from Europe to the U.S. probably won’t stop here. And you can trust that we’ll be here to summarize the potential changes and impact whenever there’s an update.
