Breaking Down the EU-U.S. Data Privacy Framework
In July, the European Commission concluded the United States provides adequate levels of protection for the data of European citizens, paving the way for the EU-U.S. Data Privacy Framework. The new framework is significant for organizations that operate in both the U.S. and Europe and transfer personal data from the European Economic Area (EEA) to the U.S.
In 2020, a European court struck down Privacy Shield leaving limited mechanisms to transfer personal data from the EEA to the US. This exposure was highlighted when Meta was fined $1.3 billion for transferring the data of European Facebook users to the U.S. without a valid transfer mechanism. The framework, at least temporarily, will serve as an adequate decision to transfer personal data from the EEA to the US.
To participate in the EU-U.S. Data Privacy Framework (DPF) American companies must self-certify against the framework and its privacy principles. Companies that maintained their Privacy Shield certification may begin operating under the framework immediately but need to self-certify under the Framework by October 10, 2023.
Here is a look at some of the key principles and elements of the DPF, what they mean to your organization, and some steps to take to self-certify:
Participating organizations must offer individuals the opportunity to choose (i.e., opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice.
This will require participating organizations to closely track and offer individuals the ability to opt out of certain sharing with third parties. Alignment with the purpose limitation principle under the GDPR will be critical in demonstrating compliance with this requirement.
Participating organizations are required to take reasonable and appropriate measures to protect the data from loss, misuse, unauthorized access, disclosure, alteration, etc. The GDPR and even state privacy laws have this same requirement. Organizations must align with, and consider certifying against, an industry-accepted information security framework to assist with demonstrating compliance with this requirement. Some well-recognized security frameworks include SOC 2, NIST CSF, and ISO 27001.
Individuals will have the ability to access, delete, and correct information that participating organizations are processing about them.
Individuals will have access to free-of-charge independent dispute resolution mechanisms as well as an arbitration panel. These are further outlined in Annex I of the DPF and prior to self-certifying organizations should review the options carefully to determine if these avenues are appropriate for their business model.
While the long-term outcome of the DPF is up in the air, it’s currently an acceptable mechanism to transfer personal data from the EEA to the U.S. Organizations interested in self-certifying should already be largely aligned with the principles through their GDPR compliance. The enforcement mechanisms and arbitration model, however, are new and organizations should ensure they can meet these. Organizations transferring personal data from the U.K. and Switzerland should prepare for a similar adequacy decision from the U.K. and Swiss governments as well.
At CompliancePoint we have a team of privacy professionals that can help your organization achieve and maintain compliance with a variety of regulations including the EU-U.S. Data Privacy Framework, GDPR, CCPA, and all applicable state laws. Contact us a email@example.com to learn more.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.