Explaining The New Data Privacy Framework: Privacy Shield’s Replacement

Posted on: Tue, 07/09/2024

By: Luis M. Martinez, Esq., Vice President, International Centre for Dispute Resolution

The Privacy Shield Framework, established to protect European Union (EU) citizens’ personal data from access by U.S. Intelligence services, was invalidated in 2020 by the Court of Justice of the European Union (CJEU), which felt that the Privacy Shield did not provide the adequate protection.

In response, a new Data Privacy Framework (DPF) was developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the U.S. from the EU and European Economic Area, the United Kingdom (UK), Gibraltar, and Switzerland that are consistent with EU, UK, and Swiss data protection laws. These programs are the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

Why is The Data Privacy Framework Important?

U.S. organizations need the DPF program to comply with EU, UK, and Swiss data protection laws, such as the EU General Data Protection Regulation (GDPR), one of the strictest data protection laws in the world.

It requires businesses that process the personal data of EU citizens to comply with certain requirements, such as obtaining consent for data processing and providing individuals with access to their data, deleting data when it is no longer necessary, implementing appropriate technical and organizational measures to protect personal data, and transferring personal data only to countries outside the EU that have adequate safeguards in place.

The fines for violating the GDPR can be significant—up to 20 million euros or 4% of the organization’s global annual revenue from the preceding financial year, whichever is greater. Understanding the options to avoid running afoul of these data protection laws is essential. The DPF provides U.S. organizations with a mechanism to demonstrate compliance with the GDPR and other data protection laws.

The DPF program provides important benefits to U.S.-based organizations as well as to their partners in Europe. The EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF will be recognized by the European Commission, the UK Government, and the Swiss Federal Administration as compliant with relevant EU, UK, and Swiss data protection requirements applicable to transfers of personal data to the United States in support of transatlantic commerce.  Once such formal recognition enters into force, participating organizations will be deemed as providing adequate privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU GDPR, outside of the United Kingdom under the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), and outside of Switzerland under the Swiss Federal Act on Data Protection (FADP). Compliance requirements are clearly laid out and can be implemented by small and medium-sized enterprises.

How do U.S. organizations participate in the Data Privacy Framework?

The DPF program is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce and enables eligible U.S.-based organizations to self-certify their compliance in accordance with the various DPF programs.

Participation in the DPF program is voluntary. To do so, an eligible U.S.-based organization is required to self-certify to the ITA via the Department's DPF program website and publicly commit to comply with the DPF Principles. Once an organization does so, that commitment is enforceable under U.S. law.

The organization is placed on the Data Privacy Framework List, available to the public of the Department’s DPF program website. The ITA updates the list based on annual re-certification submissions made by participating organizations. Organizations are removed when they voluntarily withdraw, fail to complete the annual re-certification in accordance with the ITA's procedures, or persistently fail to comply. This list is also available to the public along with the reason each organization was removed. For more information, see https://www.dataprivacyframework.gov/s/.

Key Steps to Joining

Confirm your organization’s eligibility to participate in the DPF program.

Only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT) are currently eligible to participate in the DPF program. In order to be transferred in reliance on parts of the DPF program, personal data must be processed in connection with an activity that is subject to the jurisdiction of at least one appropriate statutory body listed in the DPF principles.

Make specific reference in the privacy policy to your organization's compliance with the DPF Principles.

Your organization must develop a DPF-compliant privacy policy before submitting its initial self-certification to the ITA and ensure it conforms to the DPF Principles.  Among other things, the privacy policy should reflect your organization's information-handling practices and the choices your organization offers individuals with respect to the use and disclosure of their personal information.  It is important to write a policy that is clear, concise, and easy to understand.

Identify your organization's Independent Recourse Mechanism (IRM). (See section below.)

For the full list of steps to join the program, see https://www.dataprivacyframework.gov/s/.

What are the rights of nationals from participating countries pursuant to the DPF?

A participating organization must provide you, among other requirements:

  • Information on the types of personal data collected
  • Information on the purposes of collection and use
  • Information on the type or identity of third parties to which your personal data is disclosed
  • Choices for limiting use and disclosure of your personal data
  • Access to your personal data
  • Notification of the organization’s liability if it transfers your personal data
  • Notification of the requirement to disclose your personal data in response to lawful requests by public authorities
  • Reasonable and appropriate security for your personal data
  • A response to your complaint within 45 days
  • Cost-free independent dispute resolution to address your data protection concerns
  • The ability to invoke binding arbitration to address any complaint that the organization has violated its obligations under the DPF Principles to you and that has not been resolved by other means

The Independent Recourse Mechanism (IRM)

The DPF requires participating organizations to provide--at no cost to the individual--an Independent Recourse Mechanism (IRM) to investigate and expeditiously resolve each individual’s complaints and disputes. The IRM is a free and confidential service that provides EU, Swiss, and UK individuals with a way to resolve disputes with U.S. organizations regarding the handling of their personal data.

To meet this requirement, an organization may choose an ADR provider to resolve its disputes.

                                                                    ###

NOTE: The ICDR, the international division of the American Arbitration Association® (AAA®) plays a critical role in the DPF.

For information on how the ICDR can help as an independent recourse mechanism for the DPF Program, see https://go.adr.org/dpf_irm.html.

For information on all of the ICDR’s Data Privacy Framework Service, see https://icdr.org/dpf.

 

Adapted from Corporate Disputes Magazine

International