Client Alerts  - Data Privacy and Cybersecurity Aug 17, 2023

DOC’s New Data Privacy Framework Enables Companies to Self-Certify Participation in Cross-Border Data Transfers

Data Transfer Facilitation Improved Under New Framework

On July 17, 2023, the U.S. Department of Commerce (DOC) launched the new EU-U.S. Data Privacy Framework (EU-U.S. DPF) program website. This website, and the associated self-certification process, enables eligible companies to once again facilitate the cross-border transfer of personal data through participation in the EU-U.S. DPF, among other transfer mechanisms.

Development of the EU-U.S. DPF

Generally, under the General Data Protection Regulation (GDPR), the cross-border transfer of personal data is prohibited absent an adequate level of data protection in the receiving country as determined by the European Commission, unless a permitted transfer mechanism is used. Many companies previously relied on the EU-U.S. Privacy Shield Framework (“Privacy Shield”) to facilitate data transfers between the European Economic Area, United Kingdom, Switzerland (together, “Europe”) and the U.S. in the absence of an adequate protection finding for the U.S. In 2020, however, the Court of Justice of the European Union (CJEU or “Court”) invalidated the Privacy Shield in a case commonly referred to as Schrems II, as we noted in a previous client alert.1 The CJEU explained that the Privacy Shield permitted government access to personal data subject to the GDPR based on national security concerns, public interest and domestic laws. Specifically, the Court was concerned about U.S. government surveillance programs and the lack of means by which data subjects could enforce their privacy rights.

In 2023, the EU-U.S. DPF was adopted to replace the Privacy Shield. This program was designed to address the concerns raised in Schrems II. In October 2022, President Biden signed Executive Order (EO) 14086, which further bolsters privacy and civil liberties safeguards. Specifically, EO 14086:

  • Creates safeguards limiting access to personal data by U.S. intelligence authorities to what is “necessary and proportionate” to protect national security.
  • Enhances oversight of activities by U.S. intelligence services to monitor compliance with limitations on surveillance activities.
  • Establishes an independent and impartial redress mechanism, including the new Data Protection Review Court, to investigate and resolve complaints regarding personal data access by U.S. intelligence services.

On July 10, 2023, the European Commission issued an adequacy decision which found that the EU-U.S. DPF, coupled with the protections outlined in EO 14086, adequately protect personal data and permit cross-border data transfers from Europe to the U.S.2

Self-Certification Requirements

To participate, eligible companies must certify and publicly commit to complying with the EU-U.S. DPF Principles (“Principles”) (and/or the UK Extension to the EU-U.S. DPF and/or the Swiss-U.S. DPF Principles, as may be applicable), which sets forth detailed privacy requirements. These Principles provide guidance regarding key privacy and security requirements such as providing data subjects’ notice, choice and access to their personal data; accountability for onward transfers; data integrity and purpose limitations; and recourse and enforcement mechanisms. As of July 17, 2023, eligible companies may self-certify compliance with these Principles. To be eligible, participating companies must, among other things, meet the following requirements:

  • Inform individuals about data processing: Participating companies’ privacy policies must include, among other things, a declaration of the participating organization’s commitment to comply with the EU-U.S. DPF Principles, which are enforceable under U.S. law. Further, participating companies must inform individuals of their rights (including to access their personal data); the requirement to disclose personal data in response to lawful requests by public authorities, and which enforcement authority has jurisdiction over compliance; and the companies’ accountability for onward transfer of personal data to third parties.
  • Provide free and accessible dispute resolution: Participating companies must provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and resolved. Further, participating companies must commit to binding arbitration to address any complaints not resolved by other recourse and enforcement mechanisms.
  • Cooperate with the DOC: Participating companies must respond promptly to inquiries and requests for information relating to the EU-U.S. DPF from the DOC’s International Trade Administration.
  • Maintain data integrity and purpose limitations: Participating companies must limit personal data to the information relevant to achieve the purposes described for processing the personal data. Further, participating companies will also need to comply with the GDPR’s data retention provisions. These provisions require that participating companies only retain the personal data for as long as it takes to achieve the purposes described for processing the personal data, subject to certain exceptions.
  • Accountability for data transferred to third parties: Participating companies that transfer personal data to a third party must enter into a contract with the third party to limit use of personal data. Specifically, this contract must require that participating companies provide data subjects with notice of what personal data is being collected and with a choice over how their personal data gets processed or used.
  • Transparency related to enforcement actions: Participating companies must make public any relevant EU-U.S. DPF-related content of a compliance or assessment report submitted to the Federal Trade Commission or the U.S. Department of Transportation.
  • Compliance even after departure from the EU-U.S. DPF: If a participating company leaves the EU-U.S. DPF program, the company must nevertheless annually affirm to the DOC that the company remains committed to maintaining the principles and requirements for any personal data received through the EU-U.S. DPF program.

Transitional Period for Previously Certified Companies

The EU-U.S. DPF provides a three-month transitional period for companies previously certified under the Privacy Shield. During this time, companies should update privacy policies to reflect the new EU-U.S. DPF requirements. These requirements must be met by October 17, 2023. Companies previously certified under the Privacy Shield may nonetheless immediately begin relying on the EU-U.S. DPF adequacy decision to receive personal data transfers cross-border. This transitional period does not extend to first-time applicants. Unlike previously covered companies, new applicants must wait for confirmation from the DOC before conducting data transfers.

Future Challenges to EU-U.S. DPF

Despite the recent adequacy decision, challenges to the EU-U.S. DPF are likely. For example, Max Schrem, the activist responsible for the invalidation of the Privacy Shield and its predecessor, the Safe Harbor program, has already announced plans to challenge the EU-U.S. DPF. While any legal challenge is ongoing, the EU-U.S. DPF will remain a viable transfer mechanism.

The EU-U.S. DPF will also be subject to periodic review by the European Commission. The first review will take place within a year of the entry of the adequacy decision. This review will seek to verify that the U.S. legal framework, and the new protections provided by EO 14086, are functioning effectively in practice.

The EU-U.S. DPF provides an important mechanism to support economic opportunity for companies of all sizes across all sectors of the U.S. economy, but future adjustments to the program are likely. Experienced data security and privacy counsel can guide companies through the certification process and advise about compliance requirements.

Additional Assistance

Our attorneys have a wealth of experience handling cross-border data transfer issues and are available to assess your website to determine whether your company is in compliance with the GDPR and other privacy authorities. For more information on this topic, please contact a member of the Data Privacy and Cybersecurity Industry Team or the Phillips Lytle attorney with whom you have a relationship.

1   “CJEU Invalidates Privacy Shield, Intl Data Transfers Under GDPR,” Phillips Lytle Data Privacy and Cybersecurity Client Alert, July 2020.

2   Companies can also self-certify compliance with the U.K. Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, which enables cross-border data transfers from those jurisdictions to the U.S.  Participation in the U.K. Extension specifically requires participation in the EU-U.S. DPF.

Related Insights

View All