The United States and the European Union have agreed to a new Data Privacy Network, allowing the EU, United Kingdom and Switzerland to safely share personal data across the Atlantic in a secure and compliant way. This agreement will have a major, positive impact on large US tech firms (e.g., Google, Meta, Microsoft) that share user data between Europe and the US. This new agreement replaces one called the Privacy Shield that was invalidated by the European Court of Justice in 2020. Since then, the nations have been collaborating and negotiating to find a solution that allowed the secure and compliant transfer of EU personal data to the US.

To facilitate the new agreement, a Data Privacy Framework website was launched, allowing eligible US companies to self-certify their participation in the EU-US Data Privacy Framework. The DPF website was a joint effort between the US Department of Commerce, the European Commission, UK Government, and Swiss Federal Administration. The DPT program went into effect July 10, 2023 with self-certification beginning July 17.

“With trans-Atlantic data flows estimated to underpin more than $1 trillion in trade and investment annually, the EU-U.S. DPF provides a necessary mechanism to support economic opportunity for U.S. businesses of all sizes across all sectors of the economy,” the US Department of Commerce said in a July 17 press release.

The DPF program is particularly valuable for small- and medium-sized enterprises that can now access an affordable and streamlined mechanism for personal data transfers from the European Economic Area (comprised of EU countries along with Iceland, Liechtenstein and Norway). Data flows between the United States and Europe more than anywhere else in the world, enabling the $7.1 trillion U.S.-EU economic relationship,” added the US Department of Commerce.

Without the agreement, companies that depend on data transfers between the US and Europe to do business had to process and store user data locally or stop doing business in those countries. The new agreement solves that problem. The European Union said the new Data Privacy Framework addresses concerns previously raised by the European Court of Justice, including limiting access to EU data by US intelligence services.

“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues,” Ursula von der Leyen, president of the European Commission, in a July 10 press release.

Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.

Requirements for participating organizations

Only eligible US-based organizations can self-certify. The DPF program shared the following key requirements:

Notify individuals about data processing

• The organization’s privacy policy must declare their commitment to comply with DPF Principles, making it enforceable under US laws.
• The organization’s privacy policy must include a website URL, link to the DPF program website, or a complaint submission form where individual complaints can be filed for violations of the DPF Principles.
• The organization must notify individuals of the rights to access their personal data, the requirement to disclose personal information when a lawful request is made by public authorities which enforcement authority has jurisdiction over the participating organization’s compliance with the DPF Principles, and the participating organization’s liability in cases of the transfer of data to third parties.

Provide free and accessible dispute resolution

• Individuals can file a complaint directly with the organization in question, and the participating organization has 45 days to respond.
• Participating organizations have to provide a free, independent recourse mechanism to investigate and resolve disputes in a timely manner.
• If an individual files a company to the data protection authority in the EU, European Economic Area, UK or Switzerland, the US Department of Commerce’s International Trade Administration (ITA) will “undertake best efforts” to facilitate a resolution of the complaint and respond to the DPA within 90 days.
• Organizations must agree to binding arbitration if an individual requests it to address complaints that have not been resolved by other methods.

Cooperate with the US Department of Commerce¹

Organizations must respond promptly to requests or inquiries from the ITA related to the DPF in the EU, UK or Switzerland.

Maintain data integrity and purpose limitation

• Organizations must agree to limit the personal data collection to the data needed for the purposes of processing.
• Organizations must copy with the data retention provision of the DPF.

Ensure accountability for data transferred to third parties

To transfer personal information to a third party acting as a controller, a participating organization must:

• Comply with the Notice and Choice Principles.
• Enter into an agreement with the third-party controller that such data may only be processed for “limited and specified purposes” that are consistent with the consent of the individual. The recipient of the data will provide the same level of protection specified in the DPF Principles and will notify the originating organization if it can no longer meet its obligation or agreement.
• Provide a summary of the relevant policy provisions of its agreement with the third party to the US Department of Commerce.

To transfer personal data to a third party acting as an agent, the participating organization must:

• Transfer data only for “limited and specified purposes”
• Determine that the agent is obligated to provide at least the same level of privacy protection as required by the DPF Principles
• Take “reasonable and appropriate” steps to ensure the agent effectively processes the personal data transferred in a manner that is consistent with the originating organization’s obligations by the DPF Principles
• Require the agent to notify the organization if it can no longer meet its obligation or agreement.
• Take “reasonable and appropriate” steps to stop and remediate unauthorized processing.

Be transparent related to enforcement

• Organizations must make public any relevant DPF-related sections of any compliance or assessment report that is submitted to the Federal Trade Commission or the US Department of Transportation if the organization becomes subject to an FTC or court order for noncompliance.

Ensure commitments are kept while in possession of data

• If an organization leaves the relevant part(s) of the DPF program, the organization must annually reaffirm to the ITA its commitment to apply the DPF Principles to data received under the relevant part(s) of the DPF program if the organization wants to retain the data. Otherwise, the organization must provide “adequate” protection for the information by “another authorized means.”

Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.

Data Privacy Framework list

On the DPF website, the US Department of Commerce lists companies that have committed to following the DPF. To learn if an organization has committed to the data privacy framework, a website visitor has to search for a specific company. Here are a few that have already committed to following the DPF to facilitate compliant data transfers between the US and Europe.

• Adobe
• Amazon
• Google
• Meta
• Microsoft
• Salesforce

There are a few notable companies missing including Apple, TikTok and X Holdings Corp.

For additional information, website visitors can click on a listed company to see what related companies are listed under the main corporate name. For example, Amazon lists Amazon Advertising, Amazon.com Services, Audible, Amazon Web Services and Amazon.com as other covered entities. Their listing includes their certification history, a stated purpose for data collection, their privacy policy and dispute resolution contact information and their non-HR recourse mechanism via VeraSafe.

Their stated purpose for data collection is as follows:

“In general, the personal information we collect enables us to provide goods and services to customers, users, vendors, and sellers and helps us to personalize and improve the experience at our web sites. We use the information for different purposes depending upon the goods or services being provided. Among other things, these purposes may include the following: handling orders; delivering products and services; processing payments; processing for other purposes as required by our services; communicating with customers, users, vendors, and sellers about orders, products, services and promotional offers; updating our records and generally maintaining customer, user, vendor, and seller accounts; displaying content; and recommending merchandise and services that might be of interest to our customers, users, vendors, or sellers. We also use this information to prevent or detect fraud or abuses of our web sites, and enable third parties to carry out technical, logistical or other functions on our behalf.”

Agreement faces scrutiny

CNBC reports that the new agreement is already facing scrutiny from privacy proponents who don’t believe that the level of protection afforded European citizens is sufficient. They don’t feel the new Data Privacy Framework extends much beyond the Privacy Shield that was previously in place, and industry experts say that the new agreement is likely to face legal challenges, according to Computerworld.

“Third attempt of the European Commission to get a stable agreement on EU-US data transfers will be likely back at the Court of Justice (CJEU) in a matter of months. The allegedly “new” Trans-Atlantic Data Privacy Framework is largely a copy of the failed “Privacy Shield”. Despite the European Commission’s public relations efforts, there is little change in US law or the approach taken by the EU. The fundamental problem with FISA 702 was not addressed by the US, as the US still takes the view that only US persons are worthy of constitutional rights,” says the NOYB (None of Your Business) website.

The website calls out President Joe Biden and Commission President von der Leyen for tricking the public by coming to an agreement that is based on political interests rather than a desire to protect personal data.

“They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield’ the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission’s problem. FISA 702 needs to be prolonged by the US this year, but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702,” said Max Schrems, chair of NYOB.

“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission’s tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal – we seem to just add another two years of this ping-pong now,” Schrems added.

What’s next?

Many American companies have already committed to the new Data Privacy Framework, but that doesn’t ensure its smooth implementation. The DPF puts mechanisms in place for individuals to seek recourse if they believe their data is or has been vulnerable due to lack of adequate care. Legal challenges seem likely if the new agreement falls short.

¹Data Privacy Framework Program: Key Requirements for DPF Program Participating Organizations, US Department of Commerce.

Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.