On 10 July 2023, the European Commission adopted its decision on the EU – US Data Privacy Framework (DPF), which entered into force with immediate effect.
The decision concluded that the United States ensures a sufficient level of protection for personal data transferred from the EU to US companies under the new framework. The Data Privacy Framework replaces the EU – US Privacy Shield that was invalidated by the Schrems II judgment of 2020.
The EU – US Data Privacy Framework sets the obligations for US companies like the requirement to delete personal data when it is no longer needed, and to ensure personal data protection when it is shared with third parties. The DPF foresees limiting access to the data of EU citizens by US intelligence services and establishes a Data Protection Review Court (DPRC), which could be accessed by EU individuals.
Read the article to learn more about how to comply with the EU – US Data Privacy Framework.
How to Comply with the EU – US Data Privacy Framework?
To comply with the EU – US Data Privacy Framework, companies must ensure the protection of personal data transferred to the United States. To do that, companies must perform the following steps to implement adequate privacy measures.
Obtain self-certification
On July 17, 2023, the International Trade Administration (ITA) within the US Department of Commerce (DoC) opened the DPF program website. It includes instructions and detailed information for self-certification.
To participate in the DPF program, US organizations can aim for self-certification for compliance with the DPF Principles via the DPF program website and must publicly commit to such compliance.
The DoC states that the DPF program is not a compliance mechanism with the General Data Protection Regulation (GDPR), but rather a means for organizations to meet the EU requirements for transferring personal data to the United States.
DPF program certification signals a commitment to data privacy and can enhance trust in an organization. All registered organizations can be found on the Data Privacy Framework List.
- Companies currently certified under the EU – US Privacy Shield
Companies that are actively certified under the EU-US Privacy Shield do not need a separate self-certification to the DPF. They can already rely on the EU – US Privacy Shield if they think they are compliant. However, these companies must update their Privacy Policy and principles per the requirements of DPF by October 10, 2023.
Read the guide about how to update your privacy policy according to the DPF principles.
- Companies that want to self-certify under the EU – US Privacy Shield
Companies that would like to initially self-certify for the EU – US Privacy Shield must submit an application that confirms the company’s compliance with the principles of the DPF. Read more about how to join the Data Privacy Framework program. - Companies with expired EU – US Privacy Shield certification
Companies with expired Privacy Shield certification or those that have previously withdrawn from it need to re-certify with the EU – US Data Protection Framework. The same account credentials under Privacy Shield could be used to log into the EU – US Data Privacy Framework website.
Read the guide about how to re-certify with the DPF program.
- Privacy Shield companies that want to withdraw from the EU – US Data Privacy Framework
Companies with Privacy Shield certifications that do not want to proceed in the EU – US Data Privacy Framework must formally withdraw from the Privacy Shield/DPF. They need to notify the DoC in advance and inform what the company will do with the collected personal data via the Privacy Shield.
Read the guide about how to withdraw from the DPF program.
Comply with privacy principles
Another DPF program participation requirement - DPF Principles. Companies must comply with the privacy principles set out in the DPF. These principles include limitations on data collection, purpose limitation, data retention, data deletion when no longer needed, and individual rights.
Privacy Policy updates
Companies must update their privacy policies according to the new principles of DPF. Transparency is a crucial part of compliance with the DPF, so companies are required to clearly inform individuals about their data collection, processing, and sharing practices. Privacy Policy must include the information about the company and its contacts, the purposes for which data is collected, the identity of third parties to which personal data is shared, if any, the rights individuals have regarding their data, and the means to execute these rights.
The company’s Privacy Policy must be easily accessible on the company’s website.
Read the guide about how to update your privacy policy according to the DPF principles.
Need a Privacy Policy? CookieScript Privacy Policy Generator can automatically create a unique and up-to-date Privacy Policy for you, which is compliant with the DPF program and other privacy laws.
Communication with the Customers Regarding their Personal Data
Any company, participating in the DPF program, is required to provide simple and easily found methods for customers to ask and get informed about their personal data collection and raise complaints. A redressal mechanism must be easily available for everyone. Preferably, individuals could have the possibility to raise questions regarding their data privacy by several methods: by email, dedicated phone number, social networks, or others.
Companies must respond to individuals within 45 days and without any cost to the individuals.
Additionally, companies must also implement an independent redressal mechanism to provide information for individuals who are affected by non-compliance with the DPF program.
Read more about the recourse mechanism under the DPF program.
Eligibility
To qualify for the DPF program, organizations must fall under the authority of either the FTC or the DOT. Companies that are not subject to the jurisdiction of either the FTC or DOT— banking, insurance, and telecommunications companies— currently are unable to participate in the DPF program.
EU-Based Organizations Sending Personal Data to US Organizations
EU-based organizations transferring personal data to US organizations claiming to participate in the DPF Program must verify that the relevant US organization is registered under the DPF Program. All registered organizations can be found on the Data Privacy Framework List.
EU-based organizations should check their US partners’ status regularly (for example, every six months). This requirement and practice should be reflected in the EU-based organization’s privacy policy.
Frequently Asked Questions
How to comply with the EU – US Data Privacy Framework?
To comply with the EU – US Data Privacy Framework, organizations must obtain self-certification, comply with privacy principles, update their privacy policies, and implement an independent redressal mechanism for individuals. CookieScript Consent Management Platform can help you comply with the EU – US Framework.
Who is eligible for the EU – US Data Privacy Framework?
Both private companies and public organizations are eligible for the EU – US Data Privacy Framework (DPF). However, to qualify for the DPF program, organizations must fall under the authority of either the FTC or the DOT. Companies that are not subject to the jurisdiction of either the FTC or DOT— banking, insurance, and telecommunications companies— currently are unable to participate in the DPF program. CookieScript CMP can help you to comply with the EU – US Framework.
How to know if a company complies with the EU – US Data Privacy Framework?
Companies, complying with the EU – US Data Privacy Framework, are registered on the Data Privacy Framework List. All registered organizations can be found there. EU-based organizations, sending personal data of users to the US, should check their US partners’ status regularly (for example, every six months).
How to self-certify under the EU – US Privacy Shield?
Companies that would like to initially self-certify for the EU – US Data Privacy Framework must submit an application that confirms the company’s compliance with the principles of the DPF. Read more about how to join the Data Privacy Framework program. CookieScript CMP can help you to comply with the EU – US Framework.
What to do for companies currently certified under the EU – US Privacy Shield?
Companies that are actively certified under the EU-US Privacy Shield do not need a separate self-certification to the DPF. They can already rely on the EU – US Privacy Shield if they think they are compliant. However, these companies must update their Privacy Policy and Privacy Principles per the requirements of DPF by October 10, 2023. Read the guide about how to update your privacy policy according to the DPF principles.