Data privacy standards change about as much as the weather nowadays. Only the implications of ignoring them are much more serious than those of forgetting to pack an umbrella on a rainy day. In the latest turn of events, two international trendsetters—the European Union and the United States—have teamed up to create a data privacy framework that aims to protect their citizens’ data when it crosses the Atlantic.
The EU-US Data Privacy Framework hasn’t been around for long but is already making waves. Countless international companies have already committed to taking part, and the official website was just launched by the U.S. Department of Commerce. Let’s take a deep dive into the framework, why it exists, and how interested organizations can apply online to participate.
Contrasting European and American Data Privacy Law
Europe and America are two very, very different places. Not just from a cultural or linguistic standpoint, but also concerning the ways business entities are allowed to use citizens’ data.
The EU’s General Data Protection Regulation (GDPR), is one of the most robust policies of its kind, while the US has long taken a piecemeal approach to governing the issue of data privacy. Unlike member countries of the Bloc, which share a single set of guidelines, American states have the jurisdiction to make their own local laws. The most notable of these include California’s CPRA, Colorado’s CPA, and the Virginia Consumer Data Protection Act (VCDPA).
There has been particular concern from European lawmakers over the security of citizens’ information sent overseas to the US. Many state laws establish decent protections, but only 12 exist to date. They further provision different rules when it comes to things like individuals’ rights to data portability, right of access and erasure, as well as age limits for data collection.
This reality has created a need for companies to reconcile the two regimes. Those already familiar with the GDPR know that it applies to any processor that handles EU citizens’ personal information, whether they’re physically located in the region or not. What flies in New York or Florida might not pass muster in the EU.
What Is the EU-US Data Privacy Framework?
The EU-US Data Privacy Framework – sometimes referred to as EU-US DPF – represents Europe and America’s latest attempt at creating a harmonized set of rules for data transfers between the two regions.
Regulators have been hard at work over the past three years to come up with a new, more robust solution to trans-Atlantic data transfer between the US and EU. President Biden and European Commission President von der Leyen announced this latest framework, the Data Privacy Framework (DPF) Program, in March 2022.
President Biden then signed an Executive Order outlining the steps that the country would take to implement its commitments under the DPF in October. Everything fell into place for the framework to be fully adopted on July 10, 2023.
How We Got Here
It’s hard to understand the significance of the new DPF without knowing the tumultuous story of how it came to be. This isn’t the EU and US’ first agreement on trans-Atlantic data transfer – there have actually been several over the years.
The most recent is the EU-US Privacy Shield, which is what the EU-US Data Privacy Framework is replacing. Implemented in July 2016, this framework was intended to establish baseline rules on how commercial entities move data between Europe and America. It effectively bridged a very confusing gap for companies who faced conflicting expectations from each side of the Atlantic. But it wasn’t perfect.
Not long after the EU-US Privacy Shield was introduced, it came under scrutiny from European data privacy advocates who argued that the framework didn’t go far enough to protect Europeans’ personal data. The European Court of Justice eventually invalidated it in 2020, after a complaint filed by the same man who took down its predecessor, the U.S.- EU Safe Harbor Framework, in 2016.
That law was similar in nature albeit slightly less developed than the Privacy Shield. With both proven insufficient after Schrems II, lawmakers were tasked with going back to the drawing board once again.
Meet the New EU-US DPF Website
It’s now time to introduce the platform that serves as the headquarters for everything there is to know about and do with regard to the EU-US DPF. The framework’s official website, www.dataprivacyframework.gov, recently went live. It goes into detail explaining fundamental pieces of information for American businesses, such as why the agreement matters and what entities are included in it.
The website also provides access to official documentation for businesses that need further information on how they can comply with the agreement. This includes specifics on which entities are subject to it, as well as other implementation resources including concept papers, technical specifications, and policy guidance documents. There’s a huge breakdown of everything A to Z, plus answers to practically every question that could arise both before and after the application process has been completed.
Those who are approved for DPF certification will have the honor of being listed on the website’s Data Privacy Framework List. Visitors are able to publicly search this list for active and inactive companies that meet the agreement’s guidelines. Many major names can already be found here, including Microsoft Corporation, Adobe Systems Inc., Amazon.com, Inc., and Google LLC.
Organizations listed on the DPA website should be prepared to have the direct contact details of their Chief Privacy Officer visible under ‘Dispute Resolution’.
European Business Information
European businesses looking to transfer data overseas can use the EU-US DPF website to verify that the companies they are interested in working with have fulfilled the required criteria. It outlines what commitments the organization has made to ensure compliance with EU data protection laws, such as how their non-EU networks are secured and what steps they’ve taken to protect personal information. There is a section on contract requirements, which explains how to go about the process of entering into a data transfer agreement with a company from the United States. Europe-based businesses with subsidiaries in the US can also come here for guidance on assessing their eligibility for and applying to the DPF certification program.
European Consumer Information
The EU-US Data Privacy Framework website isn’t only for companies – it’s also a great resource for European consumers who want to learn more about their protections and rights under the new policy.
The ‘European Individuals’ section details the key points of the DPF and how EU/EEA, UK (and Gibraltar), and Swiss individuals can go about protecting their personal data. It’s important for people to remember that companies listed under this agreement are legally bound by its terms, and must comply with all data protection regulations or risk significant fines.
The consumer webpage has links to directions on how to submit a complaint should someone feel their rights have been violated, as well as how to inquire about US national security agencies’ access to their personal data.
Luckily for those who are confused, the U.S. government has included several helpful resources to guide individuals of all parties through the complexities of the DPF on its official website. European Data Protection Authorities even have their own designated page with a link to request the assistance of a liaison officer.
Companies with questions can navigate to the ‘Contact’ subpage under ‘About’ on the main menu bar. This space currently lists multiple services meant to make adopting the DPF more accessible— ranging from additional resources on dispute resolution and enforcement to a form that can be filled out to request special outreach and educational support.
Gearing Up for the EU-US Data Privacy Framework
Prior to the EU-US Data Privacy Framework, organizations were either intermittently maintaining their certification under the previous program or withdrawing from it altogether to pursue alternative means of overseas data transfer. President Biden’s signature put the new plan into place in 2022 and it was officially implemented in July 2023. Companies have since been able to apply for the EU-US DPF through its official website.
Despite being voluntary, applying to participate in the EU-US Data Privacy Framework is not hands-off by any means. It’s a comprehensive process that consists of several steps, including:
Not every business out there will qualify for EU-US Data Privacy Framework certification. The official website states that eligibility is currently limited to U.S. legal entities overseen by the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT).
The first step for any organization wanting to participate is to determine if they meet the basic criteria by completing a self-assessment.
Meeting Program Requirements
In order to receive EU-US Data Privacy Framework certification, organizations will need to meet a series of requirements, including:
● Identifying an independent recourse mechanism(s), such as a GDPR Data Protection Officer, that individuals can use if they believe the organization’s compliance with DPF standards is inadequate
Committing to Compliance Verification
Unfortunately, for the government, it isn’t enough to simply say you’ll use due diligence when handling people’s personal data. Companies that tout a Data Privacy Framework certification are expected to prove their compliance with the rules on an ongoing basis. This can be done in a number of ways, including regular in-house assessments and third-party audits.
Designating a DPF Contact
As is already mandated by several prominent data privacy laws, the Data Protection Framework requires participating companies to designate an official point of contact for compliance-related matters.
They should be knowledgeable about the company’s data privacy procedures, processes, and practices, what’s expected of DPF-certified entities, and ready to respond to any inquiries or complaints within 45 days
The reputational benefits of officially registering with the EU-US Data Privacy Framework come with a small fee. Companies must contribute to a fund managed by the ICDR-AAA to cover arbitration costs. Further information on how to make that contribution is available on the ICDR-AAA’s website.
Self-Certifying Through the EU-US DPF Website
Organizations ready to start pursuing participation in the EU-US Data Privacy Framework program can do so by clicking the ‘Self-Certify’ tab on the website’s main menu bar. This leads to a registration portal through which applicants will need to indicate their first name, last name, and email. A verification link gets sent to the address provided to allow the applicant to confirm their identity and create an account.
Once registered, users can create an application by inputting basic information about their company and providing details on their data handling practices as outlined in the last section. The EU-US DPF website is completely secure and managed by the U.S. Department of Commerce. While its rigid HTML style mirrors that of many other government websites, the application process itself is pretty straightforward. Anyone who does experience problems can submit feedback through a link on the website footer.
The EU-US Data Privacy Framework is a beautiful example of what good can happen when international powers work together towards a common goal. While attaining and maintaining compliance with the new rules will be a hurdle for some, their implementation marks a great step forward for consumer privacy around the world. Of course, time will tell if this latest framework lasts, or whether Maximillian Schrems will have something to say about it as well. In the meantime, the best thing any company operating between Europe and the United States can do is get acquainted with the framework and its website.
TeraDact is a Montana-based data protection, optimization, and resilience partner for leading public and private sector enterprises. We are committed to providing clients with full-spectrum data management, focusing on protection, operational efficiencies, and data analytics and imaging solutions that ensure robust data treatment across the integrated functions of security, privacy, governance, and compliance.
At the core of our values are integrity, innovation, collaboration, and operational excellence. Through our comprehensive suite of technology-enabled platforms and targeted data optimization consulting and services, we empower our clients to secure, monitor, and manage their core data more efficiently and effectively, leading to measurably improved performance and organizational resilience.
We aim to become the leading data protection, optimization, and resilience partner for the world’s most innovative public and private sector enterprises. By providing peace of mind around optimized data utilization and resilience, we help our clients make better-informed, data-driven decisions and ensure secure and compliant data utilization over time. Reach out today for more information on data privacy and the new EU-US framework.