Companies May Begin Submitting EU-U.S. Data Privacy Framework Certifications
As of July 17, 2023, the Data Privacy Framework website and certification mechanism is fully functional and organizations that are approved under the EU-U.S. Data Privacy Framework (Framework) may begin taking advantage of the Framework for cross-border data transfers to Europe (with the exception of the United Kingdom and Switzerland). The Framework imposes different requirements depending on whether a company is a new participant or if a company is re-certifying because it continued to adhere to the Privacy Shield Principles during the past three years. Each are addressed in more detail below.
Organizations may certify to (1) the Framework, (2) the Framework with the UK Extension, and/or (3) the Swiss-U.S. Framework. At this time, certifying organizations may rely on the Framework to receive personal data from the EU. Certifying organizations will be able to rely upon the UK Extension and the Swiss-U.S. Framework to transfer personal data from those countries once those countries announce an effective date for their recognition of the adequacy decision.
New Participant Requirements.
The self-certification process for new participants to the Framework requires companies to disclose certain information to the U.S. Department of Commerce’s International Trade Association (ITA), as well as certify that it has adopted certain policies and procedures. Specifically, an organization must: (1) provide a description of its activities with respect to all personal data received from the EU; (2) include a copy of its privacy policy; (3) describe the independent resource mechanism it will use to investigate unresolved complaints where applicable; and (4) describe its method for verifying its attestations and assertions. The Framework, like the Privacy Shield, requires organizations to certify that they comply with a set of requirements governing participating organizations’ use and treatment of personal data received from the European Union. The requirements include seven commonly recognized privacy principles, such as notice, choice, access, and security, as well as sixteen equally binding supplemental principles that explain and augment those seven privacy principles.
After providing the requisite information and certifying to complying with the Framework’s requirements, an organization must await approval from ITA where it will then be added to a list of DPF participants. Organizations must pay an annual fee and recertify annually in order to maintain certification.
Former EU-U.S. Privacy Shield Participants.
Organizations that previously self-certified under the EU-U.S. Privacy Shield Framework Principles (Privacy Shield) and kept this certification active post-Schrems II, must comply with the requirements of the Framework, which imposes similar substantive obligations as the Privacy Shield. However, organizations additionally are required to make some discrete changes in order to comply with the Framework, such as updating privacy policies to include references to the “EU-U.S. Data Privacy Framework Principles.” Any such changes must be implemented within three months of the effective date of the Framework—by October 10, 2023. Notably, the updates to the Framework and the additional three months to comply do not affect an organization’s re-certification due date, which remains the same as it was under the Privacy Shield.
Lastly, if an organization previously self-certified with the Privacy Shield but does not wish to participate in the Framework, it must complete the Framework’s withdrawal process.
***
Wiley’s Privacy, Cyber & Data Governance Team has helped companies of all sizes from various sectors proactively address risks and comply with new privacy laws and requirements. Please contact Joan Stewart (jstewart@wiley.law) or Tyler Bridegan (tbridegan@wiley.law) if your organization needs assistance in understanding, complying with, or certifying to the Framework.
