Decoding the EU-U.S. Data Privacy Framework: What Your Business Needs to Know

Contributor(s): Danie Strachan, Isabel Fernández Del Campo Aguiló
Related topics: U.S. Privacy Laws, Privacy Shield, GDPR, Data Privacy Framework

The media extensively covered the recent launch of the EU-U.S. Data Privacy Framework (DPF), generating significant excitement. However, while the topic has captivated lawyers and privacy professionals, it has left many organizations with lingering questions about what exactly the DPF entails. In this post, we will unravel the DPF and provide clarity on its specifics, addressing common questions that have left many organizations puzzled.

What Is the Data Privacy Framework?

Most organizations rely on the processing of personal data for their day-to-day operations. This data refers to information about an identified or identifiable person, like their birth date, email address, phone number, purchase records, health information, and even online identifiers like IP addresses and device identifiers. To ensure the proper handling of this personal data, many countries have established laws that organizations must follow in order to process data legally.

Processing Personal Data in the EU

If an organization is established in the European Union1, it has to comply with the General Data Protection Regulation (GDPR) when processing personal data. This is relevant for organizations in the U.S. that receive personal data from EU organizations. For example, a European business might want to send customer data to a marketing company in the U.S. or share employee data with a U.S. HRIS software provider. Such data can only be transferred legally if the situation meets the requirements set by the GDPR.

Transferring Personal Data from the EU

The GDPR offers several ways to transfer personal data to another country. The easiest method is if the EU Commission has approved the other country through an “adequacy decision.” To enable the transfer of personal data from the EU to the U.S., two frameworks were created. These frameworks allowed U.S. businesses to receive personal data if they were certified under the relevant framework. Certification involved a formal process where these organizations demonstrated their dedication to safeguarding the privacy and security of the transferred data. This certification provided assurance to EU organizations that the U.S. counterparts had taken necessary measures to protect the data.

Initially, the Safe Harbor framework facilitated transfers from the EU to the U.S. However, it was invalidated by the Court of Justice of the European Union (CJEU) in 2015 in a case initiated by privacy activist Max Schrems. To address the concerns raised by the CJEU and ensure the uninterrupted flow of personal data to the U.S., the EU and U.S. introduced the Privacy Shield Framework. Unfortunately, the Privacy Shield also met the same fate in 2020 when it was invalidated by the CJEU in another case known as “Schrems II.”

The European Commission has now approved the EU-U.S. Data Privacy Framework (DPF) as a valid mechanism to transfer personal data from the EU. It recognizes that the U.S. provides an adequate level of protection for personal data transferred to DPF-certified organizations. This is a positive development that will facilitate compliant data transfers from the EU to the U.S.

How Do I Certify to the DPF?

To join the DPF, an organization must meet certain requirements and then self-certify. The self-certification is performed on a dedicated website managed by the U.S. Department of Commerce’s International Trade Administration (ITA).

Once an organization is confident that it meets the DPF requirements, the organization needs to register a profile on the DPF website and declare its commitment to adhering to the principles of the DPF. This declaration is legally binding and enforceable. Organizations have the choice to handle the certification process themselves or seek assistance from service providers like VeraSafe, who can guide them through it.

Independent Recourse Mechanism

During the certification, the organization must indicate which independent dispute resolution body, known as a dispute service provider, the organization has hired to handle its DPF privacy disputes (if any were to arise). This provider will handle any complaints raised by individuals regarding the organization’s handling of their personal data. VeraSafe offers a Dispute Resolution service that meets DPF requirements.

Fees

To sustain the administration and supervision of the DPF program, participating organizations are required to pay an annual fee. The fee is determined based on a tiered structure, taking into account the organization’s annual revenue. 

Recertification

Certification under the DPF is valid for one year and participants must re-certify annually. A re-certification processing fee is payable and is calculated in accordance with the same schedule as the initial certification processing fee.

How Do I Know that My Organization Complies with the DPF Requirements?

Verification is an essential part of meeting the DPF requirements. It involves confirming that the organization’s privacy practices align with the DPF principles. Verification can be done through self-assessment or outside compliance reviews.

Self-Assessment

For self-assessment, organizations must ensure that their privacy notice (also known as a privacy policy) accurately reflects how they handle personal data received from the EU. They need to inform individuals about complaint handling procedures and available recourse options. It’s also important to train employees, conduct periodic compliance reviews, and maintain records. A signed statement confirming completion of the self-assessment is also required.

External Verification

Outside compliance reviews involve verifying that the privacy notice accurately and comprehensively represents the organization’s data practices and conforms to the DPF principles. It should also provide information to individuals about complaint mechanisms. A signed statement confirming the successful completion of the review is necessary.

Organizations must retain records of their DPF implementation and make them available upon request, especially during investigations or complaints. These records should be provided to the independent dispute resolution body or the relevant agency upon request. Organizations also need to promptly respond to inquiries from the U.S. Department of Commerce regarding DPF compliance.

What Is the Difference between Privacy Shield and the DPF?

The Privacy Shield is the predecessor to the DPF and had the same purpose: facilitating the transfer of personal data from the EU (and Switzerland) to certified organizations in the U.S. However, the Privacy Shield was invalidated in 2020 due to deficiencies in the U.S. legal framework concerning intelligence signals activities and redress for EU individuals. It is important to note that the invalidation was not due to shortcomings in the Privacy Shield obligations themselves. Following the Privacy Shield invalidation, the EU and the U.S. have collaborated in addressing these deficiencies and worked on a replacement framework. The DPF is now the current framework for transferring personal data from the EU to organizations in the U.S. The obligations for organizations under the Privacy Shield and the DPF are substantially the same.

Does DPF Certification Mean my Business is Compliant under the GDPR?

No. DPF certification merely serves as assurance that your business meets the GDPR’s requirements in order for an organization in the EU to transfer personal data to you. The certification does not mean that your business complies with the GDPR’s requirements generally. The importance of GDPR compliance cannot be overstated, however, and organizations can greatly benefit from the assistance of service providers such as VeraSafe, who specialize in providing comprehensive compliance services.

Who Needs to Certify under the DPF?

Certification under the DPF is voluntary and not a requirement under U.S. law. However, obtaining a DPF certification can be highly advantageous. It is the easiest method to transfer personal data from GDPR-regulated customers and EEA entities to U.S. entities. By contrast, Standard Contractual Clauses (SCCs) need to be put in place specifically between the parties and typically involve negotiations, while personal data can be transferred seamlessly based on the EU Commission’s adequacy decision for the DPF.

By achieving DPF certification, your organization can provide a seamless and secure data transfer process, instilling confidence in your EEA customers. This is particularly valuable for U.S. based SaaS companies that provide services to clients in the EU.  This certification serves as a powerful selling point and enables such U.S. organizations to confidently close deals with their EU clients.

VeraSafe encourages all U.S. organizations that receive personal data from Europe to consider the benefits of being certified to the DPF. Get certified with VeraSafe’s trusted DPF services. Learn how our team can streamline your data transfers while ensuring compliance and building trust.  

You may also like:
U.S. Privacy Laws Coming Into Effect in 2023
EU-U.S. Data Privacy Framework and Key-Coded Clinical Trial Data
Lessons from FTC Enforcement on Security Language in Privacy Notices

  1. 1.
    Or the European Economic Area, which includes the 27 EU countries, plus Liechtenstein, Iceland, and Norway.

Contact VeraSafe to discuss your data security management and privacy program today.