The Data Privacy Framework

Jasmine Harrison, Philip Brining and Joe Kirk

Tune in to a conversation between our experts as they discuss the Data Privacy Framework.

Data Protection Made Easy Episode 135

Simplified Overview of the Data Privacy Framework (DPF)

The Data Privacy Framework (DPF) is a vital program developed to facilitate secure data transfers between the United States and the European Union/European Economic Area, the United Kingdom (including Gibraltar), and Switzerland. This framework ensures that data protection aligns with the respective laws of these regions.

Effective Dates:

The EU-U.S. DPF Principles, along with the Supplemental Principles and Annex I, became effective on July 10, 2023. This allows the transfer of EU personal data to participating organisations in line with EU law.

Starting from July 17, 2023, eligible U.S. organisations can self-certify compliance with the UK Extension to the EU-U.S. DPF. However, data transfer from the United Kingdom and Gibraltar can only occur after the adequacy regulations come into force, allowing UK law-compliant data transfers.

The Swiss-U.S. DPF Principles, including the Supplemental Principles and Annex I, will be effective from July 17, 2023. Data transfer from Switzerland, complying with Swiss law, will commence once Switzerland recognises the adequacy of the Swiss-U.S. DPF.

DPF Program Overview:

Administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, the DPF program permits U.S.-based organisations to self-certify their adherence to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. This certification is done via the ITA’s Data Privacy Framework (DPF) program website.

Participating organisations must publicly commit to following the DPF Principles. Compliance is essential upon self-certification and is legally enforceable under U.S. law.

Compliance Choices:

Organisations can choose to self-certify under the EU-U.S. DPF and/or the Swiss-U.S. DPF.

To participate in the UK Extension to the EU-U.S. DPF, organisations must also adhere to the EU-U.S. DPF Principles for data transfers from the European Union, the United Kingdom (including Gibraltar), and/or Switzerland. This commitment should reflect in their self-certification submissions and privacy policies.

If organisations previously certified compliance under the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield, they must follow the respective DPF Principles to enjoy the benefits of the DPF program.

Listing Requirement:

To utilise the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF for data transfers, organisations must self-certify and be listed on the Data Privacy Framework List. The ITA updates this list based on annual re-certification submissions and may remove organisations that voluntarily withdraw, fail to complete annual re-certification, or persistently violate compliance.

An authoritative record of removed organisations is maintained and available to the public on the Department’s DPF program website. Any removed organisation must cease claiming participation in or compliance with these frameworks but must continue to apply the DPF Principles to retained personal information.

Additional Resources:

Organisations interested in self-certification can find comprehensive requirements and helpful resources provided by the ITA’s DPF team below.

For more detailed information, please visit the official DPF website: Data Privacy Framework (DPF) Program Overview

Key Requirements for DPF Program Participants Made Easy

At Data Protection People, we believe in simplifying complex information. Here’s a straightforward breakdown of the key requirements for organisations participating in the Data Privacy Framework (DPF) program:

Informing Individuals About Data Processing

      • Include a clear commitment to follow the DPF Principles in your privacy policy. This commitment becomes legally enforceable under U.S. law.
      • Your privacy policy should have a link to the U.S. Department of Commerce’s DPF program website.
      • Provide a link or web address for the independent recourse mechanisms that handle individual complaints under the DPF Principles.
      • Inform individuals about their rights to access their personal data, the need to disclose personal information when requested by public authorities, the enforcement authority overseeing your compliance, and your liability when transferring data to third parties.

Providing Free and Accessible Dispute Resolution

      • Respond to individual complaints within 45 days if they approach you directly.
      • Offer an independent recourse mechanism, at no cost to individuals, to investigate and resolve complaints and disputes.
      • If a complaint goes to a data protection authority (DPA) in the EU/EEA, the UK (and Gibraltar), or Switzerland, the U.S. Department of Commerce’s International Trade Administration (ITA) commits to helping resolve it within 90 days.
      • Commit to binding arbitration if other dispute resolution methods fail.

Cooperating with the U.S. Department of Commerce

      • Promptly respond to ITA inquiries and requests for information related to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), UK Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Maintaining Data Integrity and Purpose Limitation

      • Only collect and use personal information relevant to your processing purposes.
      • Comply with data retention rules.

Ensuring Accountability for Data Transferred to Third Parties

When transferring data to a third party as a controller:

      • Follow Notice and Choice Principles.
      • Sign a contract with the third-party controller, ensuring limited and specified data processing consistent with individual consent and DPF Principles.

When transferring data to a third party as an agent:

      • Transfer data only for specific purposes.
      • Ensure the agent commits to the same privacy protection level as required by DPF Principles.
      • Monitor the agent’s compliance.
      • Act upon any violations.
      • Provide a summary of your contract with the agent to the U.S. Department of Commerce when requested.

Transparency Related to Enforcement Actions

      • Publicly disclose relevant DPF-related sections of compliance or assessment reports submitted to the Federal Trade Commission (FTC) or the U.S. Department of Transportation if you face an FTC or court order due to non-compliance.

Keeping Commitments While Holding Data

      • If leaving the DPF program, annually affirm your commitment to apply DPF Principles to retained data. Alternatively, provide “adequate” protection through authorized means.

These requirements ensure responsible data handling and compliance with the Data Privacy Framework for organisations participating in the program.

How to join the Data Privacy Framework

Joining the Data Privacy Framework (DPF) is a voluntary decision for U.S.-based organisations. Here’s how it works in easy-to-understand language:

      • Voluntary Choice: Any U.S.-based organisation can choose to be part of the DPF program, but it’s entirely up to them; nobody is forced to join.
      • Enforceable Commitment: Once an eligible U.S.-based organisation decides to join and tells the U.S. Department of Commerce’s International Trade Administration (ITA) about it, they must also publicly commit to following the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles.
      • Legal Enforcement: This commitment isn’t just a promise; it’s a legal commitment. If the organisation doesn’t stick to these principles, they can be held accountable under U.S. law. The authorities responsible for this enforcement are the Federal Trade Commission (FTC), the U.S. Department of Transportation (DOT), or other relevant government bodies.

To learn more about how to join the DPF program, please visit the official DPF website.