Adoption of the New EU-U.S. Data Privacy Framework Approaches: What Companies Can Do Now to Prepare

Written by

Achieved Compliance

The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework).  Companies seeking to transfer data from countries in the European Union to the United States will welcome this news. The European Court of Justice in 2020 invalidated the U.S-EU Privacy Shield based on concerns raised in the Schrems II case, eliminating an important, relied-upon mechanism to support the lawful transfer of data across the Atlantic. The new Framework is designed to address those concerns and to restore clarity and certainty about data transfers from the EU to the U.S.

Once the adequacy decision is adopted, it will be possible to transfer personal data from the EU to participating companies the United States, without having to put in place additional data protection safeguards.  Organizations will be able to receive personal data on the basis of the Framework from the date they are placed on the Framework list by the U.S. Department of Commerce.

What Can Companies Do to Prepare?

It is not clear when the Commission will complete its work, but as companies await the Framework’s final adoption, there are steps they can take to be ready to participate in the program and to streamline the path to lawful data transfer.

1. Understand the criteria for participation and determine eligibility.  As was the case under the Privacy Shield, only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) will be eligible to participate in the Framework.  These agencies have committed to enforce the Framework.  Companies seeking Framework certification will need to make certain that they fall under their jurisdiction.

2. Develop a privacy policy that complies with the Framework’s requirements.  The Framework includes seven principles

     a. Notice - Organizations must inform individuals that they adhere to the Framework and its principles. They must also notify individuals about, among other matters, what kind of data they collect and the purpose for which it is processed; third parties with which they share personal data and the purpose for that disclosure; the dispute resolution body they have designated to address complaints and provide recourse, and the organization’s liability in cases of onward transfers to third parties.

     b. Choice - Organizations must provide individuals with the opportunity to opt out of (i) disclosure of their personal data to a third party; or (ii) use of their personal data for a purpose that differs significantly from the purpose for which it was originally collected.  The Framework requires that sensitive data may only be disclosed or used for a different purpose if the individual has affirmatively consented.

     c. Accountability for Onward Transfer – Participants in the Framework may only transfer data, whether within the U.S. or to another third country (i) for limited and specified purposes, (ii) on the basis of a contract with the third party, and (iii) if the contract imposes on the third party the same level of protection as required by the principles.  

     d. Security – Organizations must take reasonable and appropriate measures to protect personal data from loss, misused and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.

     e. Data Integrity and purpose limitation – Among other requirements, personal information must be limited to information that is relevant for the purposes of processing, and may not be proved in a manner that is incompatible with the purposes for which the information was collected or subsequently authorized by the individual.

      f. Access - Organizations must enable individuals to access, correct, amend, or delete their personal data, subject to certain limited exceptions.

     g. Recourse, Enforcement and Liability – Organizations must provide an independent recourse mechanism to investigate unresolved complaints at no cost to the individual.

Developing this policy will require review of your company’s data collection, processing and protection practices.  If your company already has a policy in place, it will be important to be sure that it reflects each of these principles, and that it is up-to-date and an accurate reflection of your data practices.

3. Identify a person within your company who will serve as the contact responsible for all matters related to participation in the Framework.

Each participating organization must designate an internal contact responsible for handling questions, complaints, access requests, and any other issues arising under the Framework. This contact can be either the corporate officer who is certifying your organization's compliance with the Framework, or another official within your organization, such as a chief privacy officer.

What Next?

These are steps companies can take now.  Once the Framework is approved and in place companies also will need to:

1. Pay any required fees.

2. Ensure the organization’s compliance verification mechanism is in place.

3. Review the information required to self-certify.

4. Submit the organization’s self-certification to the Department of Commerce.

How Can Achieved Compliance Help?

With over 20 years of client counseling and international data policy expertise in the ups and downs of privacy regulation, we are well equip to advise you on these upcoming changes. Our team will provide you with the power, knowledge, and processes to achieve compliance internationally. Please schedule a free consultation with Achieved if you have any questions.