Taking Steps to Comply with the EU-US Adequacy Decision
Taking Steps to Comply with the EU-US Adequacy Decision
It has been three years since the EU-US Privacy Shield Framework was invalidated by a decision known to most as “Schrems II”. After years of collaboration between European Union (EU) and the United States (U.S.), the EU has officially adopted and deemed adequate a new EU-US Data Privacy Framework (DPF)1, making July 10, 2023 the latest milestone in the history of personal data sharing across the Atlantic. Businesses processing EU personal data in the U.S. have witnessed many changes over the last decade that have made privacy compliance a moving target; thus, many have awaited the adoption of a new cross-border transfer mechanism that would allow for the safe transfer of personal data between the two regions that minimizes disruption, time, and resources required to achieve and maintain compliance.
Third times the charm, perhaps? The EU-US DPF is the latest of three different frameworks that have each at one point been deemed valid to facilitate the transfer of personal data from the EU to the U.S.. The two predecessors, US-EU Safe Harbor and the EU-US Privacy Shield, were both invalidated by EU courts after a well-known data privacy activist, Max Schrems, successfully contested the safety of EU personal data transferred under these frameworks.
The primary issue with preceding frameworks, particularly in the decision to invalidate the Privacy Shield framework, has been the issue of U.S. government intelligence and surveillance practices that the EDPB felt put the personal data of EU individuals at risk. To address these concerns, there was an Executive Order signed by President Biden, along with accompanying regulations, that have put data minimization and limitations on U.S. intelligence agencies. Additionally, an independent redress mechanism has been established to handle complaints. These safeguards ultimately influenced the decision to adopt the EU-US DPF, though the decision will be continuously monitored to maintain adequacy under EU law.
Steps to Comply
According to the Department of Commerce2, companies will be able to apply for certification through the Data Protection Framework website and will need to commit to certain privacy obligations. The new framework will be enforced by the U.S. Federal Trade Commission (FTC) or Department of Transportation (DOT), depending on the jurisdiction. In preparation for certification, companies should follow these steps to become certified:
- Confirm eligibility and decide on the scope of your certification. Only the FTC and DOT are committed to enforcement, therefore only U.S. legal entities under their jurisdiction are eligible to participate. Additionally, similar to Privacy Shield, there are multiple variations of the framework certification: EU-US DPF, Swiss-US DPF, and the UK Extension to the EU-US DPF. Additionally, there will be two types of data subjects: (1) Human Resources Data and (2) Personal Data Other than Human Resources Data. Your company should decide which of these frameworks and data subjects are applicable before proceeding. This will also impact the cost of certification.
- Determine how you will verify. The DPF offers two types of verification methods: Self-certify or Outside Compliance Review. Although the DPF is a self-certification process, it can be beneficial to seek third-party support to assess your maturity against the framework. Enforcement by the FTC means companies who attest without adequately implementing appropriate controls can receive complaints or enforcement due to unfair and deceptive trade practices under Section 5 of the Federal Trade Commission Act. Therefore, companies should not treat this as a check-the-box exercise.
- Conduct a readiness assessment. Conduct a readiness assessment to compare existing privacy program controls against the obligations and requirements set out in the new framework. This can be a self-assessment or a third-party review. Before embarking on the certification, you’ll need to understand how your program measures up to the requirements and remediate any gaps ahead of your application. A third-party assessment should also help guide you through the requirements, documentation, and contact information you’ll need to collect and prepare before initiating the certification application on the DPF website.
- Update your Privacy Statement(s). You must have DPF-compliant privacy statements applicable to the data subjects in scope before submitting a self-certification. This includes aligning them to the DPF principles, making reference to your framework participation and the framework website, and indicating your independent recourse mechanism.
- Initiate certification through the DPF website. Your privacy officer or similar designee should follow the steps on the DPF website and create an International Trade Administration account for your organization. Once created, they’ll need to follow the application, providing responses and supplementary documentation to attest to your organization’s adherence to the framework. If you chose a third-party for an outside compliance review, they can support you through this process as well, though you should always have a company designee who is primary contact and responsible for the DPF account.
We often say in this space, there is never a dull moment in data privacy. We are six months in and 2023 is shaping up to be a very active year for privacy regulation. This decision is no exception.
For further guidance on how to navigate the EU’s decision and the new Data Privacy Framework, contact BDO’s Privacy & Data Protection practice.