by Dr. Martin Braun, Kirk J. Nahra, Tamar Y. Pinto, Shannon Togawa Mercer, Itsiq Benizri, and Valentino Halim
On July 10, 2023, the European Commission adopted an adequacy decision for the new EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the successor to the EU-U.S. Privacy Shield, which the Court of Justice of the European Union deemed invalid on July 16, 2020. The U.S. Department of Commerce (“DoC”) is charged with administering and monitoring the EU-U.S. DPF program.
On July 17, 2023, the DoC International Trade Administration launched its EU-U.S. DPF website. Companies are now able to review the key requirements for participating organizations, including how to join the program and how to recertify.
How to Join or Recertify
If your company would like to participate in the EU-U.S. DPF and is not actively certified under the EU-U.S. Privacy Shield, you will have to self-certify via the DPF website. The DoC has provided a guide to self-certification, and further information in preparation for the process can be found in the DPF website’s FAQs.
If your company is currently actively certified under the EU-U.S. Privacy Shield, you may begin to rely on the EU-U.S. DPF if you believe your company to be compliant. However, you will still need to update your privacy policy as soon as possible but no later than October 10, 2023. Requirements for compliant privacy policies can be found in the DPF website FAQs. An organization’s privacy policy must align with the DPF principles, specifically including each element of the notice principle, setting forth items about which a company must provide transparency to data subjects. The DoC also provides some sample language for a company to use when it represents that it is participating in the EU-U.S. DPF.
The UK and Switzerland
Parties certifying via the DPF website may also certify under the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) and the UK Extension to the EU-U.S. DPF (“UK Extension”). However, as of the time of this client alert, neither framework may be relied on for data transfers.
On June 8, 2023, the UK and the U.S. agreed to establish a “data bridge”; but the UK has yet to recognize U.S. data protection, or the protection to be provided under the UK Extension, as adequate. Until such a determination, companies may not rely on the UK Extension for data transfers from the UK to the U.S. However, the U.S. government expects that the UK government will find the program adequate at some point in the future.
Likewise, while the Swiss-U.S. DPF principles are effective as of July 17, 2023, companies cannot rely on the Swiss-U.S. DPF for data transfers until Switzerland’s adoption of an adequacy decision.
Key Aspects of the EU-U.S. DPF
Principles. Like its predecessor, the EU-U.S. DPF is based on a system of certification by which U.S. organizations commit to a set of core principles, in this case the EU-U.S. Data Privacy Framework Principles. The principles include notice; choice; accountability for onward transfers; security; data integrity and purpose limitation; access; and recourse, enforcement and liability. The principles apply immediately upon self-certification.
Eligibility. To be eligible for certification under the EU-U.S. DPF, an organization must be subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”) or the U.S. Department of Transportation (“DoT”).
DoC compliance monitoring. In accordance with the European Commission’s adequacy decision, the DoC may carry out “spot checks” of randomly selected organizations or specific organizations when potential compliance issues are identified (e.g., reported to the DoC by third parties) to verify whether (i) point(s) of contact for handling complaints and data subject requests are available and responsive; (ii) the organization’s privacy policy is readily available, both on its website and via a hyperlink on the DoC’s website; (iii) the organization’s privacy policy complies with the certification requirements; and (iv) the organization’s chosen independent dispute resolution mechanism is available to handle complaints.
In addition, the DoC will carry out cross-checks with the FTC and DoT to verify that the organizations are subject to the oversight body identified in their certification submissions. The DoC will also work with alternative dispute resolution bodies to verify that the organizations are registered for the independent recourse mechanism identified in their certification submission.
Publication. The DoC will maintain and make available to the public the Data Privacy Framework List (the “List”) of organizations that have certified their adherence to the principles. The List will be updated on the basis of an organization’s annual recertification submission and also when an organization is removed. The European Commission’s adequacy decision requires the DoC to make available to the public a record of organizations removed from the List, along with the reason for removal.
Removal. If a company is removed from the EU-U.S. DPF, it must return or delete the personal data received under the EU-U.S. DPF. In the event an organization voluntarily withdraws, the organization must notify the DoC in advance. Furthermore, the organization must either (i) delete or return the data or (ii) retain the data, provided it affirms to the DoC on an annual basis via its annual recertification its commitment to continue to apply the principles or provides adequate protection for the personal data by another authorized means (e.g., via standard contractual clauses). Its notice of withdrawal should indicate what it plans to do with the personal data received under the EU-U.S. DPF.
False claims of certification. The DoC will be monitoring for false claims of EU-U.S. DPF certification. Any misrepresentation to the general public may be subject to enforcement action by the FTC, DoT or other relevant U.S. enforcement authorities under the False Statements Act (18 U.S.C. § 1001).
Assignment. An organization that will cease to exist due to a change in corporate status—for instance, as a result of a merger, takeover, bankruptcy or dissolution—must notify the DoC of this in advance (the contact link for this notification is forthcoming). The notification should also indicate whether the entity resulting from the change in corporate status will (i) continue to participate in the EU-U.S. DPF through an existing self-certification; (ii) self-certify as a new participant in the EU-U.S. DPF (e.g., where the new entity or surviving entity does not already have an existing self-certification through which it could participate in the EU-U.S. DPF); or (iii) put in place other safeguards to ensure continued application.
Dr. Martin Braun and Kirk J. Nahra are Partners, Itsiq Benizri is Counsel, Shannon Togawa Mercer and Valentino Halim are Senior Associates, and Tamar Y. Pinto is an Associate at Wilmer Cutler Pickering Hale and Dorr LLP. This post first appeared on the firm’s blog.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).