The European Commission announced in December that it has begun its process to adopt an adequacy decision for the new EU-U.S. Data Privacy Framework. Companies seeking to transfer data from countries in the European Union to the United States will welcome this news. The European Court of Justice in 2020 invalidated the U.S-EU Privacy Shield based on concerns raised in the Schrems II case. This eliminated an important, relied-upon mechanism to support the lawful transfer of data across the Atlantic. The new data privacy Framework aims to tackle those concerns and clarify data transfers.

Once adopted, the adequacy decision will enable the transfer of personal data from the EU to participating US companies. This transfer can occur without the need for additional data protection safeguards. Organizations can receive personal data as soon as the U.S. Department of Commerce lists them on the Framework.

What Can Companies Do to Prepare?

It is not clear when the Commission will complete its work. However, as companies await the Framework’s final adoption, there are steps they can take to be ready to participate.

1. Understand the criteria for participation and determine eligibility. As was the case under the Privacy Shield, only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) will be eligible to participate in the Framework.  These agencies have committed to enforce the Framework. Companies seeking Framework certification will need to make certain that they fall under their jurisdiction.

2. Develop a privacy policy that complies with the data privacy Framework’s requirements. The Framework includes seven principles:

Notice

Organizations must inform individuals that they adhere to the Framework and its principles. They must also notify individuals about, among other matters, what kind of data they collect and the purpose for which it is processed; third parties with which they share personal data and the purpose for that disclosure; the dispute resolution body they have designated to address complaints and provide recourse, and the organization’s liability in cases of onward transfers to third parties.

Choice

Organizations must provide individuals with the opportunity to opt out of (i) disclosure of their personal data to a third party; or (ii) use of their personal data for a purpose that differs significantly from the purpose for which it was originally collected. The Framework requires that sensitive data may only be disclosed or used for a different purpose if the individual has affirmatively consented.

Accountability for Onward Transfer

Participants in the Framework may only transfer data, whether within the U.S. or to another third country (i) for limited and specified purposes, (ii) on the basis of a contract with the third party, and (iii) if the contract imposes on the third party the same level of protection as required by the principles.  

Security

Organizations must take reasonable and appropriate measures to protect personal data from loss, misused and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.

Data Integrity and Purpose Limitation

Among other requirements, personal information must be limited to information that is relevant for the purposes of processing, and may not be proved in a manner that is incompatible with the purposes for which the information was collected or subsequently authorized by the individual.

Access

Organizations must enable individuals to access, correct, amend, or delete their personal data, subject to certain limited exceptions.

Recourse, Enforcement and Liability

Organizations must provide an independent recourse mechanism to investigate unresolved complaints at no cost to the individual.

Developing this policy will require review of your company’s data collection, processing and protection practices.  If your company already has a policy in place, it will be important to be sure that it reflects each of these principles, and that it is up-to-date and an accurate reflection of your data practices.

3. Identify a person within your company who will serve as the contact responsible for all matters related to participation in the Framework.

Each participating organization must designate an internal contact responsible for handling questions, complaints, access requests, and any other issues arising under the Framework. This contact can be the corporate officer who is certifying your organization's compliance with the Framework. Moreover, the contact can be another official within your organization, such as a chief privacy officer.

What Next?

These are steps companies can take now.  Once the data privacy Framework is approved and in place companies also will need to:

1. Pay any required fees.

2. Ensure the organization’s compliance verification mechanism is in place.

3. Review the information required to self-certify.

4. Submit the organization’s self-certification to the Department of Commerce.

How Can Achieved Compliance Help?

With over 20 years of client counseling and international data policy expertise in the ups and downs of privacy regulation, we are well equipped to advise you on these upcoming changes. Our team will provide you with the power, knowledge, and processes to achieve compliance internationally. Please schedule a free consultation with Achieved if you have any questions.