EU-U.S. Data Privacy Framework

The EU-U.S. Data Privacy Framework, or EU-U.S. DPF, is a new agreement designed to facilitate cross-border data transfers between the European Union and the United States.

With the downfall of Safe Harbor and, subsequently, the EU-U.S. Privacy Shield, it remains to be seen whether the EU-U.S. DPF will conclusively solve the issues that rendered the previous frameworks invalid.

This article will walk you through the key provisions of the new transatlantic framework. We'll examine what it entails, which businesses can participate, how businesses can comply, and more. Let's dive in.

What is the EU-U.S. Data Privacy Framework?

The EU-U.S. Data Privacy Framework is the third and latest program designed for transatlantic data flows between the European Union and the United States. It was first announced on March 25, 2022, and approved on July 10, 2023.

The EU-U.S. DPF replaces the Privacy Shield and effectively grants the U.S. an EU adequacy decision status. In other words, businesses can use the new framework to ensure "adequate" protection for the personal data of EU residents when transferred to the United States.

The EU-U.S. DPF represents the combined efforts of the EU and the U.S. to rebuild and stabilize cross-border data flows. According to the European Commission President, Ursula von der Leyen:

"The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic..."

In practice, the EU-U.S. DPF does the following:

• Addresses all concerns raised by the European Court of Justice (CJEU) when it invalidated the EU-U.S. Privacy Shield
• Ensures that the activities of U.S. intelligence agencies are conducted for defined national security objectives while respecting privacy and civil liberties
• Updates the privacy principles regulating data transfers under the Privacy Shield
• Establishes a Data Protection Review Court (DPRC) to strengthen accountability and review processes
• Establishes an independent and impartial redress mechanism for EU residents who believe their personal data has been misused

Background of the EU-U.S. Data Privacy Framework

The story begins with the need to protect the personal data of EU residents when transferred to non-EU countries with "inadequate" data protection standards. The U.S. fell under this category at the time, so other arrangements had to be made.

First, there was the Safe Harbor program introduced in July 2000. It allowed U.S. companies to self-certify that they would observe certain privacy principles when handling EU data. But, it got invalidated by the CJEU due to concerns about U.S. government surveillance practices.

Next, the Privacy Shield replaced Safe Harbor in February 2016. It was more robust, promising better protection during transfers. However, it also got invalidated in 2020 during the Schrems II case for similar reasons as Safe Harbor.

Without a valid framework, U.S. companies turned to alternative transfer mechanisms like Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). But, these have also been criticized for being too difficult to implement.

Now, the EU-U.S. DPF has been introduced to ensure safe data transfers while strengthening economic ties. However, the framework is still relatively new, and only time will tell whether it will withstand legal challenges to come.

Key Definitions Under the EU-U.S. Data Privacy Framework

The EU-U.S. DPF protects the personal data of individuals in the EU when transferred to the United States by a certified controller or processor. Let's examine how the framework defines these key terms.

Personal Data Under the EU Data Privacy Framework

The EU-U.S. DPF defines personal data by referencing the definition under the General Data Protection Regulation (GDPR).

According to the official text of the framework, personal data is:

"data about an identified or identifiable individual that are within the scope of the GDPR received by an organization in the United States from the EU, and recorded in any form"

Notably, personal data in this context includes pseudonymized or "key-coded" research data, even when the key isn't disclosed to the receiving U.S. company. Typical examples include names, email addresses, home/IP addresses, phone numbers, identification numbers, etc.

Controller and Processor Under the EU Data Privacy Framework

In keeping with the GDPR, the EU-U.S. DPF classifies participating organizations into two familiar types: controllers and processors.

Under the framework, a data controller is "a person or organization which, alone or jointly with others, determines the purposes and means of processing personal data."

On the other hand, data processors are defined as "agents acting on behalf of a controller." In other words, processors are third-party service providers for controllers.

For more information, check out our article here: GDPR Data Controller vs. Data Processor

Who can Participate in the EU-U.S. Data Privacy Framework?

Like both its predecessors, the EU-U.S. DPF works through a certification system. This means U.S. organizations that wish to participate in the new framework must self-certify starting July 17, 2023 through the new EU-U.S. DPF website launched by the U.S. Department of Commerce (DoC).

To be eligible for certification under the EU-U.S. DPF, your company must be "subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT)."

Businesses that wish to self-certify under the EU-U.S. DPF must take the following steps:

1. Comply with the privacy principles provided under the EU-U.S. DPF (more on this later in this article)
2. Publicly declare your commitment to observe the EU.U.S. DPF privacy principles
3. Submit an application on the EU-U.S. DPF website that includes your company's name, your purposes for processing personal data, and your independent recourse mechanism to investigate complaints
4. Provide a publicly-accessible Privacy Policy that reflects the EU-U.S. DPF principles or update your existing policy
5. Specifically note within your Privacy Policy that you comply with the EU-U.S. DPF principles
6. Recertify your commitments to the EU-U.S. DPF principles annually and pay the certification fee

Notably, businesses that are already certified under the Privacy Shield can immediately rely on the EU-U.S. DPF for cross-border transfers. However, they must self-certify to the EU-U.S. DPF principles and update their Privacy Policy and practices accordingly by October 10, 2023.

For more information on self-certification under the EU-U.S. DPF, check out the official guide and FAQs released by the DoC.

What Does the EU-U.S. Data Privacy Framework Require?

As mentioned, the EU-U.S. DPF requires participating businesses to observe a number of privacy principles for adequate protection during cross-border data transfers.

These principles are notably reminiscent of the GDPR's privacy principles and, though slightly altered, are essentially the same as those under the Privacy Shield.

Let's examine each principle in turn.

Purpose Limitation and Choice

Simply put, when you collect personal data, use it only for the specific reasons you initially told your consumers about.

If you want to use consumers' data for a different purpose or share it with a third party, you need to give them the option to decline through "a clear, conspicuous, and readily available mechanism."

For instance, if you plan to use your customers' email addresses for a different purpose than originally established, ask for their consent first and provide a prominent way for them to opt out at any time.

One typical example is including an "Unsubscribe" link at the bottom of your emails like Entrepreneurs HQ does here:

Another common opt-out mechanism is the "Reject/Decline" button on cookie banners.

Here's an example from Capgemini:

Processing Special Categories of Personal Data

Under the GDPR, certain data types are considered sensitive and, therefore, require extra protection. They include any data relating to the following:

• Health or medical conditions
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Sexual orientation or sex life

If you handle these data types, you will be held to stricter standards under the EU-U.S. DPF. For instance, you'll need to obtain opt-in consent from consumers before collecting or processing their sensitive information.

Opt-in consent typically works through clickwrap agreements which require consumers to check an empty "I Agree" checkbox or click a prominent "I Agree" button to show that they approve a data processing activity.

Here's how Yelp obtains opt-in consent through empty checkboxes on its sign-up page:

Data Accuracy, Minimization, and Security

This principle is notably a three-part obligation. In short, you must take note of the following:

• Ensure that the data you hold about consumers is correct and kept up-to-date.
• Don't hoard personal data longer than necessary. Only collect and keep what you truly need.
• Maintain appropriate technical and organizational security measures to protect personal data from unlawful access, breach, and damage. Your security measures should be proportionate to the risks involved and the type of data you handle.

Transparency

The transparency principle is essentially a requirement to publish a public notice (aka a Privacy Policy) that reflects the EU-U.S. DPF principles. This requirement is comparable to the Notice principle under the Privacy Shield.

According to the DoC, a compliant Privacy Policy must include the following:

• A declaration that you participate in the EU-U.S. DPF program
• The type of personal data your company collects
• Your purposes for processing data
• The categories of third parties with whom you may share personal data and your purposes for doing so
• The individual rights of consumers
• Your company's contact information
• Your available redress mechanism(s)
• A statement that you're subject to the FTC, DoT, or any other U.S. authorized statutory body
• Your liability in cases of onward transfers to third parties

Your Privacy Policy must also include links to the following:

• The DoC's website
• The list of participating organizations under the EU-U.S. DPF
• The website of an appropriate alternative dispute resolution service

For example, in the intro section of its Privacy Policy, Brightmetrics publicly declares that it observes the EU-U.S. DPF, including the UK and Swiss extensions. Brightmetrics also notes that it is subject to the FTC and includes a link to the DoC's website:

Importantly, your Privacy Policy must be written in "clear and conspicuous language." You must also include a link to your policy when you first ask consumers for their data, before using it for a different purpose, and before sharing it with a third party.

Here's an excellent example from 23andMe:

For more information on the Privacy Policy requirements under the EU-U.S. DPF, check out the Privacy Policy FAQs released by the DoC.

Individual Rights

Like the GDPR, the EU-U.S. DPF gives data subjects several rights over their personal information.

According to the framework:

"Data subjects should have certain rights which can be enforced against the controller or processor, in particular the right of access to data, the right to object to the processing, and the right to have data rectified and erased."

As a certified participant under the EU-U.S. DPF, you must observe these rights (and other applicable rights) when handling consumers' data. You must also respond "within a reasonable period of time" when consumers ask to exercise their rights.

What's more, your Privacy Policy must mention these rights and provide consumers with a simple mechanism to exercise them like Upwork does here:

Restrictions on Onward Transfers

As a certified organization under the EU-U.S. DPF, you must ensure that personal data is protected when shared with any third party or agent working on your behalf.

Accordingly, you can only perform onward transfers if:

• Your transfers are "for limited and specified purposes"
• You've entered a contract with the receiving party (i.e., a data processing agreement)
• The contract requires the third party to maintain the same level of protection as mandated by the EU-U.S. DPF principles

Accountability

Under this principle, you must implement "appropriate technical and organizational measures" to effectively comply with your responsibilities and demonstrate your compliance to relevant supervisory authorities.

As such, you'll need to do the following:

• Conduct regular internal assessments and external audits to ensure ongoing compliance
• Maintain comprehensive records of your data processing activities to verify your compliance upon request
• Ensure your Privacy Policy continuously reflects the EU-U.S. DPF principles (e.g., via random checks)

You should also consider appointing a Data Protection Officer (DPO) to monitor your compliance even if you aren't legally required to do so.

Enforcement of the EU-U.S. Data Privacy Framework

The U.S. Department of Commerce (DoC) is tasked with enforcing the EU-U.S. DPF by monitoring the compliance of participating organizations with the above principles.

The DoC will employ different mechanisms, including "spot checks of randomly selected organizations" and "ad hoc spot checks of specific organizations" if potential issues arise.

As a certified organization, the DoC will check if:

• You have valid and responsive contact point(s) for handling data subject requests and complaints
• Your Privacy Policy is easily accessible on your website and via a hyperlink on the DoC's website
• Your Privacy Policy complies with certification requirements
• You have an independent dispute resolution mechanism for complaints

If the DoC has credible evidence that an organization isn't complying with the principles, the organization will be required to complete a comprehensive questionnaire. Failure to respond satisfactorily may lead to possible enforcement action by relevant authorities like the FTC or the DoT.

Organizations that consistently fail to comply with the principles may be removed from the DPF List and must return or delete the personal data they received under the framework.

Summary

The EU-US DPF is a new data transfer framework that aims to provide legal stability for cross-border data flows in a previously unsettled environment.

Addressing the EU-U.S. DPF, the Commissioner for Justice, Didier Reynders, said:

"The adoption of this adequacy decision is the final step to ensure safe and free transfers of data across the Atlantic. It ensures the protection of individual rights in our intangible and interconnected digital world, where physical borders do not matter much anymore..."

To recap, organizations who wish to participate in the EU-U.S. DPF must self-certify and commit to a number of privacy principles, including the following:

• Purpose limitation and choice
• Processing of special categories of personal data
• Data accuracy, minimization, and security
• Transparency
• Individual rights
• Restrictions on onward transfers
• Accountability

With the EU-U.S. DPF now in effect, participating organizations can lawfully transfer personal data without having to rely on alternative transfer mechanisms.

Ultimately, the EU-U.S. DPF reflects a shared commitment to protect individuals' privacy while enabling data-driven opportunities in the digital economy.