As we recently reported, the new EU-US Data Privacy Framework (DPF) entered into force on July 10, 2023. DPF offers a streamlined mechanism to facilitate transfers of personal data from the EU to US companies participating in DPF, replacing the prior Privacy Shield program. DPF will have an immediate effect on US companies that have self-certified to the Privacy Shield program, and other US companies may wish to consider whether to participate in DPF. Below, we address some of the most frequently asked questions from US companies arising upon DPF’s entry into force:
1. Are companies required to participate in DPF?
No, participation in DPF is voluntary. US companies can use alternative EU data transfer mechanisms to facilitate transfers of personal data from the EU, such as entering into EU standard contractual clauses (SCCs) with the EU data exporter, if they do not wish to participate in DPF.
2. Should my company participate in DPF?
Companies eligible to participate in DPF will want to compare DPF to other options for facilitating transfers of personal data from the EU, most specifically SCCs. DPF offers certain advantages over SCCs, such as ease of use (e.g., avoiding the need to fill out and execute SCCs with each counterparty to the transfer) and greater flexibility in the contracting language (e.g., avoiding the need to use the SCC wording verbatim). Moreover, European businesses may prefer engaging with DPF certified US companies to demonstrate enhanced protection of transferred personal data vis-à-vis their customers and local authorities. However, DPF also imposes significant ongoing compliance obligations on participating companies, as discussed further below.
3. What companies are eligible to participate in DPF?
In order to participate in DPF, a company must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or Department of Transportation (DOT). There is the possibility of the EU recognizing other US statutory bodies in the future, but currently a company must be subject to the investigatory and enforcement powers of either the FTC or DOT in order to be eligible to self-certify to DPF.
4. My company is self-certified to the Privacy Shield program. What actions do we need to take to participate in DPF?
The International Trade Administration (ITA) has issued an advisory stating that US companies that have self-certified to the Privacy Shield (list available here) must comply with DPF, including by updating their privacy policies by October 10, 2023. Such companies do not need to file a new self-certification in order to participate in DPF; their participation will be automatic. They will need to continue to recertify annually in accordance with DPF, by their current recertification due date.
5. My company self-certified to the Privacy Shield program, but we would prefer not to participate in DPF. What actions do we need to take to avoid participating in DPF?
According to the ITA’s advisory, US companies that have self-certified to the Privacy Shield must now comply with DPF. If a company that has self-certified to the Privacy Shield does not wish to continue participating in DPF, the company will need to withdraw formally in accordance with the ITA’s withdrawal process. Please note that failure to complete the annual recertification process does not terminate the company’s participation or obligations. Also, the company would be required to continue to abide by the applicable Privacy Shield/DPF principles with respect to personal data received under those programs, even after completing the formal withdrawal process.
6. When can companies start self-certifying to DPF, if they are not already self-certified to Privacy Shield?
The ITA indicated in its advisory that the new DPF website (http://www.dataprivacyframework.gov/) will be launched on July 17, 2023, enabling companies to begin submitting initial self-certification submissions to participate in DPF. Note that companies must have come into compliance with DPF requirements prior to submitting their self-certification, however.
7. How does DPF address the concerns raised by the Court of Justice of the European Union (CJEU) in the decision invalidating Privacy Shield?
In invalidating Privacy Shield, the CJEU expressed concerns about the scope and proportionality of US government surveillance activities, as well as the level of recourse available to EU individuals to object to such activities. In October 2022, President Biden released the Executive Order On Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086) that includes a number of additional safeguards relating to the US government’s intelligence gathering activities and redress mechanisms. As discussed in more detail in our previous analysis, these additional safeguards are intended to resolve the CJEU’s concerns. The US government recently confirmed that it has adopted policies and procedures pursuant to EO 14086.
8. How do a company’s obligations under DPF compare with those under Privacy Shield?
The EU-US Data Privacy Framework Principles (set forth in Annex I of the EU's adequacy decision) builds upon the predecessor EU-US Privacy Shield Framework Principles. Companies will want to review the DPF Principles and Supplemental Principles closely to assess the differences and evaluate their documented methods for compliance. The DPF obligations apply to all personal data transferred in reliance on DPF. As a high-level overview, the seven core DPF Principles are as follows:
- Notice: DPF includes detailed notice requirements, including requirements to provide notices that contain a number of specific details related to rights and obligations under DPF. These requirements might be addressed in a DPF supplement or addendum to the company’s privacy policy, for example.
- Choice: DPF requires offering certain choices to individuals whose information is received under DPF, regarding the processing of their personal data. For example, DPF generally requires offering individuals the opportunity to opt out of (1) the disclosure of their personal information to a third-party controller or (2) the use of their personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual. When the personal information is sensitive in nature (e.g., specifying medical or health conditions, race or ethnic origin, political opinions or philosophical beliefs, trade union membership, or sex life), the company generally must instead obtain the individual’s express opt-in consent to such disclosures or uses.
- Accountability for Onward Transfers: DPF requires participating companies to comply with certain procedures and impose certain types of contractual terms when transferring personal data received under DPF to a third party.
- Security: DPF requires taking reasonable and appropriate measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction while taking into due account the risks involved in the processing and the nature of the personal information.
- Data Integrity and Purpose Limitation: DPF generally requires a participating company to use and retain the personal information only for the purposes for which it has been collected or subsequently authorized by the individual. DPF also requires taking reasonable steps to ensure the reliability of personal data with respect to its intended use.
- Access: DPF requires a participating company to allow individuals to access their personal data. DPF also generally requires allowing individuals to correct, amend, or delete information deemed inaccurate or that has been processed in violation of DPF, subject to certain exceptions.
- Recourse, Enforcement, and Liability: DPF requires a participating company to implement robust recourse mechanisms, cooperate with authorities, and arbitrate claims in accordance with DPF. Additional requirements apply when self-certifying to DPF for human resources data.
DPF requires companies to verify their compliance with DPF either through self-assessment or outside compliance reviews.
9. How do the DPF obligations compare with those under the California Consumer Protection Act (CCPA) or similar state consumer data privacy laws?
At a high level, the DPF Principles (discussed above) share many elements in common with CCPA and similar state consumer data privacy laws, such as general principles concerning notice, data subject rights (e.g., access, correction, deletion), and safeguards for transfers to third parties and service providers/agents. However, the specific compliance obligations under DPF differ in many respects from CCPA and similar laws: e.g., DPF requires additional DPF-specific privacy notices, internal or external assessments, and opt-out/opt-in requirements that differ from CCPA and similar laws. Companies that have developed internal compliance programs for CCPA and similar laws may be able to leverage and expand their existing measures in order to address DPF requirements as well, but would want to map the DPF requirements against the measures they already have implemented.
10. What about data transfers from the UK or Switzerland?
UK: The UK government is separately working with the US on a UK extension to the DPF mechanism. The ITA has stated that US companies that self-certify to DPF may also self-certify their compliance with the UK extension, although they may not begin relying on it for data transfers until the UK has formally approved the UK extension.
Switzerland: The ITA has confirmed that, as of July 17, 2023, the Swiss-US Data Privacy Framework will enter into effect. US companies that self-certified to the Swiss-US Privacy Shield program must comply with the Swiss-US DPF, including by updating their privacy policies by October 17, 2023. Eligible companies that have not self-certified to the Swiss-US Privacy Shield program may choose to self-certify to the Swiss-US DPF, as of July 17, 2023.
11. Can I expect the Data Privacy Framework to remain effective, considering the prior successful challenges to the Privacy Shield and Safe Harbor frameworks?
As discussed in our more detailed DPF analysis, DPF is the third attempt to establish a streamlined data mechanism to facilitate transfers of personal data from the EU to US. Max Schrems, who led the successful challenges to the previous two EU-US transfer mechanisms (the Privacy Shield program and, before it, the Safe Harbor program), has already vowed to challenge DPF. Although both the European Commission and US government representatives have been optimistic about the chances of DPF surviving an expected legal challenge, at this stage, it is unclear whether it will. The European Commission will review DPF within one year after the entry into force (and then periodically thereafter) and may, in theory, adapt or even withdraw it in light of developments affecting the level of protection in the US. Although DPF offers significant advantages, companies may wish to consider whether to continue using more established mechanisms such as SCCs, or whether to self-certify to DPF with back-up arrangements that would cause SCCs to kick in if DPF is invalidated in the future.
For additional information: The following articles provide more detailed analysis of DPF, and please stay tuned to FBD's Technology Quotient data and cyber page: