REPLACEMENT FOR PRIVACY SHIELD – DATA PRIVACY FRAMEWORK PROGRAM

Home > Blog > Data Privacy & Information Security > REPLACEMENT FOR PRIVACY SHIELD – DATA PRIVACY FRAMEWORK PROGRAM

REPLACEMENT FOR PRIVACY SHIELD
DATA PRIVACY FRAMEWORK PROGRAM

By: OlenderFeldman LLP; Michael J. Feldman, Esq. and Marguerite “Margo” Kneisser, Esq. August 8, 2023

                                                                                                                                                           

With the EU-U.S. Privacy Shield Framework no longer available as a legal mechanism to transfer personal data from the EU/EEA/UK to the US (leaving most businesses to rely upon Standard Contractual Clauses), the U.S. has finally completed negotiation of the EU-U.S. Data Privacy Framework (“DPF”) to replace Privacy Shield. This memo addresses the basic considerations and issues for joining the DPF.

Joining the DPF Program

Confirm Entity’s Eligibility.  The entity/business must be subject to the jurisdiction of the Federal Trade Commission (“FTC”) or Department of Transportation (“DOT”).  This generally includes any person or entity that practices in or affects commerce.  The FTC does not have jurisdiction over most banks and comparable institutions, telecom companies, interstate transportation companies, air carriers, labor associations, most non-profits, and packer and stockyard businesses.  The FTC also only has jurisdiction over insurance activities in limited circumstances.  The DOT generally has jurisdiction over air carriers and, with the FTC, ticket agents.

Develop a DPF-Compliant Privacy Policy Statement. Many entities already have a privacy policy.  While much of the privacy policy may already be compliant, DPF requires specific provisions so the policy complies with the DPF Principles. Privacy policies previously developed under Privacy Shield must be updated to refer to the entity’s commitment to comply with DPF. As part of the certification process, you must submit your privacy policy to the U.S. Department of Commerce’s International Trade Administration (“ITA”) for review and to confirm the policy is compliant with DPF Principles.  If there are any changes that need to be made to a policy to comply with DPF, the U.S. Department of Commerce’s International Trade Administration (“ITA”) will inform you of those changes that need to be made. To be compliant with the DFP Principles, the privacy policy must incorporate and conform to the DPF Principles and include the following, generally:

Notice: You must inform individuals in clear and conspicuous language about:

  • Your participation in the DPF program, with a link to the DPF list of compliant companies;
  • Your commitment to comply with DPF Principles as set forth at the DFP website (https://www.dataprivacyframework.gov/).
  • The types of data collected and the purposes for which it is collected and used;
  • Contact information for inquiries or complaints;
  • Third parties to whom you disclose data and the purposes for which you do so;
  • The right of individuals to access their data and limit your use and disclosure of same;
  • The independent dispute resolution body to which complaints can be made and the right to invoke binding arbitration;
  • The fact that you are subject to powers of the FTC, DOT, or other applicable U.S. governmental body;
  • Provide the name of any privacy program in which the entity is a member;
  • Provide a publicly available and accurate location for the privacy policy. The only exception to this is if the entity is solely self-certifying as to human resources data.  In this case, the privacy policy may be made internally available only;
  • The requirement to disclose personal information in response to lawful requests by public authorities; and
  • Your liability for onward transfers to third-parties.

Choice: You must offer individuals the right to opt out and to choose whether and to what extent their information is used or disclosed.

Accountability for Onward Transfer: Arrangements with third-party controllers must limit data use or processing to those purposes consented to by the data subject and such arrangements must be subject to the same level of protection as the DPF Principles require and done in accordance with your obligations under the DPF Principles. Third-party controllers must notify you if they cannot meet their obligations.

Security. You must take reasonable and appropriate steps to protect personal information.

Data Integrity and Purpose Limitation: You must limit personal information to the information that is relevant for the purposes of processing. Personal information cannot be processed in a way that is incompatible with the purposes for which it has been collected or as authorized by the individual. These limitations apply for as long as you retain such information.

Access: Individuals must have access to personal information about them that you hold, with the right to correct, amend, or delete that information where it is inaccurate.

Recourse, Enforcement and Liability: You must have mechanisms for assuring compliance with the DPF Principles, and recourse and consequences for non-compliance. At minimum, these must include:

  • Identifying the independent recourse mechanism selected for disputes with those who believe their privacy rights were violated by the entity. There are several private organizations which may be used (i.e., BBB, TRUSTe, AAA, JAMS, Direct Marketing Association, etc.), or you can agree to have certain public entities (EU data protection authorities – at a charge of $50) serve as your dispute resolution entity;
  • Having procedures in place for verifying compliance with DPF. This can be accomplished through self-assessment or third-party assessment;
  • Setting forth your obligations to remedy any failure to comply with the DPF Principles and acceptance of consequences for any failure to comply; and
  • Designating an internal contact for handling questions, complaints, access requests and all other issues which may arise under DPF. The contact can be a corporate officer or someone else at the company.  The entity must respond to all requests from individuals in connection with DPF (i.e., a complaint) within 45 days.

Make the Required Contribution for the Binding Arbitration Mechanism.  The U.S. Department of Commerce agreed to maintain a fund to which participating organizations will be required to contribute to cover arbitration costs for EU, UK, or Swiss individuals invoking arbitration to determine whether their privacy rights have been violated. The contribution must be made at the International Centre for Dispute Resolution-American Arbitration Association’s (ICDR-AAA) website at http://go.adr.org/privacyshieldfund.html.

Review Information Required to Self-Certify. Review and compile all required information prior to self-certifying online. The decision to self-certify is voluntary. However, compliance with DPF upon self-certification is compulsory. Once such an organization self-certifies and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under U.S. law. To self-certify, an organization must have the following information (in addition to the above):

  1. Name of organization, contacts, and corporate officer, including mailing address, e-mail address, telephone and fax numbers;
  2. Other Covered U.S. Entities and U.S. Subsidiaries, including a list of all other entities or subsidiaries of the organization that are also adhering to the DPF;
  3. Organization’s annual revenue ;
  4. Description of activities with respect to personal information received from the EU; and
  5. Description of the entity’s privacy policy for such personal information (see above);

Submit Self-Certification to the ITA. This can be accomplished through the “Self-Certify” link on the DPF program website.  Submission also requires the appropriate self-certification fee, which is based upon the size of the entity seeking certification.

EU-U.S. DPF benefits are valid from the date on which the Department places the organization on the Data Privacy Framework List.  The Department will only place an organization on the Data Privacy Framework List after having determined that the organization’s initial self-certification submission is complete, and will remove the organization from that list if it voluntarily withdraws, fails to complete its annual re-certification, or if it persistently fails to comply with the Principles.

Please contact Michael J. Feldman, Esq. at 908-964-2486 or for more information on the DPF program and for assistance in seeking certification.

 

Data Privacy & Information Security