Adapting to the EU-U.S. Data Privacy Framework

The formal adoption of the EU-U.S. Data Privacy Framework (DPF) by the European Commission in July 2023 was an important development for most businesses that have to comply with the GDPR, and especially businesses that are based in the United States. After years of legal uncertainty, the DPF provides an easy way to transfer personal data from the European Economic Area, United Kingdom, and Switzerland (we’ll just say “Europe”) to the United States.

Background

Tl;dr: The GDPR generally prohibits the transfer of Europeans’ personal data to the United States. After a lot of trial and error, the DPF provides a simple and legally safe means to process European data in the U.S.

The GDPR prohibits the transfer of personal data from Europe to any “third country,” meaning any country outside of the GDPR’s scope. There are a few important exceptions to this rule, however. The most important exception is when the third country has been the subject of an “adequacy decision” by the European Commission. An adequacy decision indicates that the third country provides a level of privacy protection that is roughly equivalent to Europe’s laws.

Until recently, the United States has not been the subject of an adequacy decision. The reason for this is twofold: the lack of a federal data privacy standard and the revelations of mass data surveillance by American intelligence agencies (made public by Edward Snowden). Given how much personal data flows through American tech companies—just think of how many websites use Google Analytics, for example—this rule has created huge headaches for a lot of businesses.

The EU and United States have tried in the past to come up with ways to keep the data flowing. Most notable was the Privacy Shield program, in which businesses could self-certify that they follow certain data-privacy principles. The Privacy Shield program was struck down by European courts in 2020, however, for providing an insufficient level of protection. 

This left most businesses with no choice but to rely on Standard Contractual Clauses (SCCs), customized contracts between businesses that import and export data. However, SCCs had some glaring problems. They required expensive transfer impact assessments that only large companies actually bothered to complete. Worse, they didn’t really fix anything, because the main problem was surveillance by the U.S. Government. For this reason, SCCs were invalidated as a transfer mechanism in May 2023. (To make this even more confusing, once the DPF was adopted, SCCs were re-validated as a transfer mechanism, though they are still not the best option for most businesses.)

This brings us—finally—to the EU-U.S. Data Privacy Framework. The DPF serves as an adequacy decision for the United States, as long as the data recipient has an active DPF certification. (It also obliges the U.S. Government to reduce surveillance and provide recourse mechanisms for Europeans whose data may have been intercepted.) This provides a streamlined and easily verifiable means to transfer European data to American companies.

When the Data Transfer Rules Apply and How the DPF Helps

These examples should help to understand the GDPR rules on international data transfers. ima

Example 1

An U.S.-based eCommerce business has no physical presence in the EU, but does offer its products to Europeans, making it subject to the GDPR. The business collects Europeans’ personal information through its website, and uses various U.S. vendors such as Google Analytics to process that personal information.

There are a few important things to note here. First, the initial collection of Europeans' personal information by the U.S.-based business is not itself an international data transfer for GDPR purposes. That is because the data subject is the one who disclosed their data by interacting with an American website. Second, any onward transfers of personal data within the United States, such as the use of Google Analytics in this example, are considered international data transfers.

This means that the business in the above example needs to ensure that all of its U.S.-based data recipients have an active DPF certification. Luckily, it can look up active DPF participants on the official DPF website.

Example 2

An American retail business has a physical presence in the EU, which operates as a separate European subsidiary. The EU subsidiary regularly sends Europeans’ personal data about its customers and employees to its U.S. headquarters.

In this example, the initial collection of personal data by the subsidiary is not an international data transfer, because it is located within the EU. However, the disclosure of personal data by the EU subsidiary to its U.S. headquarters is an international data transfer, because they are two separate legal entities. In order for the transfer to be valid, the U.S. headquarters must be an active DPF participant, or else the two entities must depend on an alternate transfer mechanism such as SCCs or Binding Corporate Rules (BCRs).

Does Your Business Need to Be DPF Certified?

Unfortunately, it is difficult to give a clear answer on when a U.S. B2C company needs to participate in the DPF, due to uncertainty in the law and guidance from European authorities. The answer will depend on the nature of your business and how it receives personal data from Europe, so you should consider discussing the matter with your attorney. 

If your business resembles Example 2 in the above section (receiving data from an EU subsidiary), it will likely need to find a way to legally transfer data within the company. The DPF is one option that is relatively easy and cost-effective, but SCCs and BCRs are viable options as well.

If your business looks more like Example 1, the answer is a little murkier. The initial collection of personal data as described in Example 1 is not an international transfer of data, but subsequently sending that data to a third party within the United States is an international data transfer. Current guidance from the European Data Protection Board makes that clear. 

Those same guidelines also state that if an American business sends non-European data to a processor in the EU, that processor is performing an international data transfer when it returns data back to the United States. The processor therefore has a responsibility to only perform the transfer under appropriate safeguards such as the DPF, and therefore may require the American business to participate in the DPF. Following this same logic, it’s possible that when an American business sends EU data to an American processor, the return of that data from the processor back to the business is a separate international data transfer. If that is the case, the original business may need to be DPF-certified in order for the processor to stay GDPR compliant.

If trying to follow all of that reasoning is breaking your brain… you’re not alone. It’s definitely a complicated area of GDPR compliance, and the rules are always changing. The main thing to keep in mind is that, even if your business is more like Example 1, you can’t rule out the possibility that you may need to be DPF-certified in order to keep working with some processors.

What Does It Take to Be DPF-Certified?

Even though international data transfers may be complicated, the good news is the self-certification with the Data Privacy Framework is relatively straightforward. Here are the steps to complete, according to the DPF’s official website:

  1. Verify Your Organization’s Eligibility to Participate in the DPF

    This is really just a question of being under the jurisdiction of the Federal Trade Commission or Department of Transportation. If your business is located in the United States, it is probably eligible (with a few exceptions for industries such as finance and telecommunications).

  2. Develop a DPF-Compliant Privacy Policy Statement

    Businesses must have a privacy policy statement with all of the required information. Among other things, a business must disclose how it collects and uses personal data, mention its compliance with DPF principles, and identify its independent recourse mechanism.

  3. Ensure That Your Organization Has an Appropriate Independent Recourse Mechanism in Place

    If a European individual has an unresolved complaint about how your business is using their personal data, your business must provide an “independent recourse mechanism” to them free of charge. This typically means hiring a third-party alternative dispute resolution service that will arbitrate for you.

    Alternatively, your business can commit to cooperating directly with European Data Protection Authorities (DPAs) for the resolution of a complaint. 

  4. Pay a One-Time Binding Arbitration Fee

    All participating organizations must contribute to the DPF’s binding arbitration mechanism (which is separate from the independent recourse mechanism). For most businesses, this will be $250.

  5. Ensure that Your Organization Has a Verification Mechanism in Place

    Your business must verify its compliance with DPF principles at least once a year. You must either have an internal assessment procedure or hire a third party auditor.

  6. Designate a Contact Within Your Organization for DPF Compliance

    This will be your go-to person for everything related to the DPF.

  7. Review Your Certification Materials

    Make sure you’ve collected everything you need and all the information is accurate.

  8. Submit Your Organization's Self-Certification Package

    Reviewers may identify issues for correction. If not, you’re good to go!


How TrueVault Is Helping

For most of our customers, the most important issue is knowing whether their vendors have active DPF certifications. We are currently reviewing the vendors in our database in order to determine whether they have self-certified, saving your business time and effort. We will then integrate this information into your existing GDPR compliance so that there is minimal disruption.

For those businesses that must be DPF-certified, the privacy notices you’ve already generated will provide much of the required information for your DPF compliance statement. This should save you a great deal of work and help you get your self-certification package sent off very quickly.

If you have any questions to ask about this, please don’t hesitate to reach out to us!