On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”). Under the adequacy decision, U.S. companies that self-certify under DPF can lawfully transfer personal data from the EU to the U.S. This blog explores issues companies should consider when deciding whether to self-certify and steps for self-certifying under DPF.
My company is self-certified under Privacy Shield. What is the process for self-certifying under DPF?
Per the Department of Commerce, if your company has actively maintained its self-certification under Privacy Shield, then its self-certification will automatically carry over to DPF, provided you take the following steps:
- Update the company’s privacy notice with the new required DPF language by October 10, 2023.
- Ensure the company complies with the DPF Principles (outlined below).
- Ensure the company recertifies each year. The recertification date is the same as the company’s previous Privacy Shield recertification date. Companies can recertify through the DPF website starting on July 17, 2023.
My company is self-certified under Privacy Shield. Should the company continue to self-certify under DPF?
If your company is actively self-certified under Privacy Shield, then the company should probably continue its self-certification under DPF. Consult with your legal team and ensure the company continues to comply with the DPF Principles (outlined below).
My company is not self-certified under Privacy Shield. What is the process for self-certifying under DPF?
If your company is not actively self-certified under Privacy Shield, then you must take the following steps:
- Update the company’s privacy policy to include the required DPF language.
- Identify and register with an independent recourse mechanism.
- Ensure the company complies with the DPF Principles (outlined below).
- Complete the self-certification process through the DPF website starting July 17, 2023.
- Once self-certified, ensure the company recertifies each year.
My company is not self-certified under Privacy Shield. Should the company self-certify under DPF?
This is a complex question. If your company is not actively self-certified under Privacy Shield (either because it never self-certified or it previously withdrew its self-certification), you need to carefully weigh the benefits and drawbacks of self-certification. Consult with your legal team.
The major benefit of self-certification under DPF is that your company will be able to immediately rely on DPF for its EU data transfers. This may help with your GDPR compliance and contract negotiations, and signal your commitment to data protection.
The major drawback of self-certification under DPF is that there is a strong possibility DPF will be invalidated by the highest EU court at some point. DPF is the third-generation data protection framework between the EU and the U.S.; Privacy Shield was invalidated in July 2020 through the Schrems II decision, and Safe Harbor was invalidated in October 2015 through the Schrems I decision. Max Schrems has already indicated that he intends to bring a legal challenge against DPF. This means that self-certifying under DPF could prove a waste of resources or, worse, expose your company to new risk. For example, if a company chooses to rely solely on DPF in its contracts instead of SCCs, and DPF is subsequently invalidated, the company may be prohibited from conducting EU data transfers. Accordingly, as a precaution, companies that self-certify under DPF should continue incorporating SCCs as an alternative transfer mechanism in the event DPF does not survive legal challenges.
Another drawback of self-certification under DPF is that self-certification could make your company a target for third-party claims and regulatory scrutiny. Companies that self-certify are added to a publicly available list on the DPF website. If a company fails to pay its annual fees or decides to withdraw from DPF, the company is indefinitely listed as "Inactive." This Inactive status became a major concern for companies when Privacy Shield was invalidated. Companies were forced to choose between paying annual fees for an invalid mechanism or being placed on the Inactive list. Many companies chose to pay fees rather than withdraw as they were concerned withdrawal would make them a target. If DPF is invalidated, companies that self-certify under DPF could face a similar dilemma.
Does DPF cover UK-U.S. and Swiss-U.S. data transfers?
Yes. Similar to Privacy Shield, DPF can cover UK-U.S. and Swiss-U.S.
- Swiss-U.S.: Companies that self-certified their compliance with the Swiss-U.S. Privacy Shield Framework Principles have until October 17, 2023, to comply with the Swiss-U.S. DPF Principles. Compliance includes updating their privacy notices by October 17, 2023 and adhering to the DPF Principles below. New participants can self-certify starting on July 17, 2023. Companies may rely on the Swiss-U.S. DPF upon the Swiss Federal Administration’s recognition of adequacy.
- UK-U.S.: Data transfers from the UK will be handled through a “UK Extension” to DPF. Companies that have self-certified under Privacy Shield and companies that have not previously self-certified will need to fill out the UK Extension, which will be available on July 17, 2023, through the DPF website. It is important to note that while companies can begin self-certifying on July 17, 2023, they will not be able to use the UK Extension until the UK adopts its own adequacy decision.
What are the DPF Principles?
The DPF Principles are a set of principles that companies must agree to in order to self-certify under DPF. Below is a summary of the principles:
- Purpose Limitation and Choice. Personal data should be processed lawfully and fairly. To satisfy this principle, personal data should be collected for a specific purpose and subsequently used only in a compatible way. If a company is using personal data for a materially different, but compatible, purpose than that for which it was collected (or disclosing personal data to a third party), the company must provide consumers with the opportunity to opt-out through a clear, conspicuous, and readily available mechanism.
- Processing of Special Categories of Personal Data. Specific safeguards must exist where “special categories” of data are processed. These categories include sensitive data (i.e., personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information on the sex life of the individual, or any other information received from a third party that is identified and treated by that party as sensitive). Companies must receive opt-in consent to use sensitive information for purposes other than those for which it was originally collected/subsequently authorized or to disclose it to third parties.
- Data Accuracy, Minimization, and Security.
- Accuracy: Personal data must be kept accurate and up-to-date.
- Minimization: Personal data must be limited to what is relevant, and companies should take reasonable steps to ensure that personal data is reliable for its intended use and that the data is used for the purpose initially collected or subsequently authorized.
- Security: Companies should take reasonable and appropriate security measures so that personal data is processed in a manner that ensures its security.
- Transparency.
- Public Privacy Policy: Companies are required to make their privacy policy public and provide links to the DPF website, the DPF List, and the website of an alternative dispute settlement provider.
- Privacy Notice: Data subjects should be informed of the “main features of the processing of their personal data.” The notice must include:
- Participation of the company in the DPF
- Type of data collected
- Purpose of the processing
- Type or identity of third parties to which personal data may be disclosed and the purposes for doing so
- Data subjects’ individual rights
- How to contact the company
- Available redress avenues
- Individual Rights. Data subjects have certain rights they may enforce against the controller or processor, including the right to: (i) access, correct, or delete data; (ii) object to the processing of their data for materially different, but compatible, purposes than those for which the data was collected; (iii) object to the processing of their data by third parties; and (iv) opt-out of the processing of their data for direct marketing purposes.
- Restrictions on Onward Transfer. Onward transfers (personal data transferred from the EU or EEA to the U.S. and then further transferred to a recipient in the U.S. or another country) must also be afforded protection. DPF will allow onward transfers if all three of the following are met:
- The transfer took place for limited and specified purposes;
- The transfer is based on a contract between the company and the third party (or comparable arrangement within a corporate group) AND;
- Only if that contract requires the third party to provide the same level of protection as the one guaranteed by the Principles.
- Accountability. Companies must put technical and organizational measures in place to effectively comply with data protection obligations and be prepared to demonstrate such compliance to the competent supervisory authority. Companies must be aware that once self-certification under DPF is complete, compliance with the above principles is compulsory and enforceable
What are the requirements for re-certification?
To recertify, each year a company must:
- Publicly declare its commitment to comply with the DPF Principles.
- Review its privacy policies and practices to ensure they are compliant with the DPF Principles.
- Reconfirm the information it has provided to the Department of Commerce through the DPF website, and pay the applicable fees.
If you need any help self-certifying, please contact a member of our Privacy & Data Security Team.