If your company collects personal data from residents in Europe, you now have a more efficient option for transferring personal data out of Europe in a manner that is compliant with the EU’s General Data Privacy Regulation (“GDPR”) and the equivalent laws of the UK and Switzerland. Most of our clients currently rely on the “standard contractual clauses” (“SCCs”), a series of contractual provisions that have been blessed by the EU, UK and Switzerland as providing adequate protection for personal data that is exported out of Europe. These SCCs have been an integral part of building and maintaining a presence in Europe for many of our clients, but they can be cumbersome, and the European customers of our clients are not always consistent in their expectations for how the SCCs should be filled out and implemented.
The new EU-US Data Privacy Framework (“DPF”) offers a new alternative to the SCCs. US companies that comply with the DPF requirements are deemed to provide “adequate” data protection under the GDPR and equivalent UK and Swiss laws and do not need to sign the SCCs in order to process personal data. The DPF requires upfront and ongoing attention to data privacy practices, but offers long term benefits in terms of streamlined contracting processes and greater trust from European-based customers and consumers. Read on to learn more about how your company can participate in the DPF and how SPZ can help you with the process.
In order to obtain the benefits of the DPF, your company must certify its compliance with a series of requirements. Your company can certify by submitting self-certification documentation at this link. A summary of the information required in the self-certification documentation can be found here. A representative of the DPF Program will review the documentation and let you know if any issues must be addressed before your company’s self-certification is approved. Before your company submits the self-certification, it must take the following steps, each of which SPZ can help your company with:
Step 1 – Confirm eligibility for the DPF: As of now, only companies that are subject to oversight by the Federal Trade Commission and Department of Transportation are eligible for the DPF. The FTC’s jurisdiction is quite broad and applies to most companies in the US, but it does not apply to most financial institutions, telecommunications and interstate transportation common carrier activities, air carriers, labor associations, most non-profit organizations, or most packer and stockyard activities. If you’re not sure if your company is subject to FTC or DOT oversight, SPZ can provide guidance.
Step 3 – Put in place an appropriate Independent Recourse Mechanism: Your company must offer a recourse mechanism free of charge to individuals who have questions or concerns about your company’s use of their personal data. The type of recourse mechanism permitted by the DPF depends on whether or not your company collects human resources data (data about the company’s personnel). If your company does collect human resources data, the recourse must be provided in accordance with the guidance of the applicable European data protection authorities. If your company does not collect human resources data, the company can work with an independent dispute resolution body like JAMS or the American Arbitration Association. SPZ can help you assess which recourse mechanism may best fit the needs of your company and its customers.
Step 4 – Contribute to the designated binding arbitration fund: If an individual feels that its complaint has not been sufficiently addressed through the independent recourse mechanism (see Step 3 above), the individual can invoke binding arbitration through the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA). All participants in the DPF must contribute to a collective fund that will cover the cost of this binding arbitration. Click here to learn more about this binding arbitration process.
Step 5 – Put a verification mechanism in place: Your company must have procedures in place for verifying compliance with the DPF. The verification can be accomplished either through self-assessment or outside compliance reviews.
Step 6 – Designate a contact: Someone at your company must be the go-to contact for complaints, access requests, and any other issues relating to your company’s participation in the DPF.
Once your company is certified as a participant in the DPF, it will have ongoing obligations to remain compliant with the DPF’s requirements, set forth in a series of DPF Principles and Supplemental Principles. These requirements range from general (like the dispute resolution procedure identified above) to specific (what protections to include in contracts where your company shares personal data with third parties). SPZ can help your company stay on top of these obligations.
What about the Privacy Shield?
The Privacy Shield was a previous attempt by the US and EU to streamline the process for exporting personal data out of the EU. However, the EU’s highest court, the Court of Justice (“CJEU”) invalidated the Privacy Shield, in part due to the ability for US government authorities to access personal data collected by private companies. The new DPF was created in response to the invalidation of the Privacy Shield, and the EU held off on approving the DPF until the Biden administration in October 2022 issued an executive order that, among other things, required U.S. intelligence authorities to limit data collection activities to what is necessary and proportionate.
US companies that are still certified under the Privacy Shield are automatically (but temporarily) deemed participants in the DPF, but must properly certify under the DPF (see steps above) by October 10, 2023. If your company is currently certified under the Privacy Shield, SPZ can help you transition over to the DPF before the deadline.
Uncertainties about DPF
Although the DPF was approved by the EU Commission, that does not mean it can’t be challenged in front of the CJEU. For US readers, this is similar to a situation where the US congress passes a bill, the President signs the bill into law, but then the law is challenged in the courts. As discussed above, the DPF was specifically crafted to address issues in the Privacy Shield, and the EU Commission has stated that it is confident that the DPF will survive any legal challenges. Only time will tell, but the DPF appears to be on more solid legal ground than the Privacy Shield.
Although the DPF was designed to apply to transfers of data from the EU, UK, and Switzerland, as of August 21, 2023, the UK and Switzerland have not actually formally implemented the relevant regulations to bring the DPF into force in the UK and Switzerland. However, public statements from the governments of both countries and the US indicate that both the UK and Switzerland will bring the DPF into force in the coming months. Until that occurs, the DPF can only be relied on for transfers from the EU, and your company must continue to rely on the SCCs (or other approved mechanisms) for transfers of personal data out of the UK and Switzerland.
SPZ can help you with the DPF
This blog post was written by Sam Taylor, Ryan Shaening Pokrasso, and Becky Mancero.