On July 10, 2023, the European Commission implemented an adequacy decision regarding the EU-U.S. Data Privacy Framework (DPF), which is a self-certification program that seeks to ease the transfers of personal data from the EU to the United States and allow companies to streamline their compliance with EU data flow restrictions. American companies that have undergone the DPF certification process will be able to import personal data from the EU and European Economic Area (EEA) into the United States without relying on other data transfer mechanisms, such as Standard Contractual Clauses (SCCs), Data Transfer Impact Assessments (DTIA), or additional supplemental measures.
Small Business Support
Navigating international data transfers and legal compliance can be a challenge, particularly for small businesses and startups, like our members, that often do not have the resources for large legal departments needed to comply. We know how strongly our global membership feels about continuing to build and grow their businesses, further growing the $1.8 trillion app economy, and to do so, we must ensure the cost of doing business, legally, is as easy as possible. We will continue to work with policymakers in the United States and EU to further ensure that navigating this process is as seamless as possible so that our small business members can remain competitive on a global scale.
The DPF will likely be challenged in court, but in the meantime, the DPF provides a data transfer mechanism that companies can manage through self-certification. Below is information to help your company self-certify with the EU-U.S. Data Privacy Framework.
1. Submit information to the Department of Commerce (DoC) through the DPF websiteand receive approval to be added to the list of DPF participants.
• Companies must submit information such as the name of their organization and a description of their purpose for processing personal data. Companies that are already certified to the Privacy Shield must update their privacy policies to refer to the “EU-U.S. Data Privacy Framework Principles” within the next three months.
• To maintain certification, companies must pay a fee and recertify annually, which involves self-verifying compliance with the Principles. The DoC will maintain a list of certified companies and a list of formerly certified companies (together with reasons for removal). Companies that self-certified with the Privacy Shield will need to formally withdraw if they do not wish to participate in the DPF.
2. Publicly commit to comply with the DPF’s Principles.
• DPF’s Principles use similar headings to those used under the
Privacy Shield (e.g., Notice, Choice, Accountability for Onward Transfer) but the basis of some of the supplemental principles has changed. For example, the Self-Certification principledetails requirements that companies must satisfy to self-certify and recertify andspecifies that a company that withdraws from the DPF must notify the DoC what it will do with the personal data that it received when utilizing the DPF.
• A company’s failure to comply with the DPF’s Principles is enforceable by the Federal Trade Commission under Section 5 of the FTC Act, which bans unfair and or deceptive acts in or affecting commerce.
We will be sure to keep you informed on all relevant updates and information about framework implementation, and please let us know if you have any questions in the meantime.