EU-U.S. Data Privacy Framework Finally Live for Trans-Atlantic Data Transfers - Articles

Articles

26Jul

EU-U.S. Data Privacy Framework Finally Live for Trans-Atlantic Data Transfers

A new program providing the U.S. insights industry legal certainty for trans-Atlantic data sharing is live, replacing the defunct Privacy Shield.

On July 10, 2023, the European Commission declared that, under the EU General Data Protection Regulation (GDPR), the new European Union – U.S. Data Privacy Framework (DPF) “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to [U.S.] companies under the new framework.”

The new DPF program went live on July 17.

Juliana Wood, Director of Certifications for the Insights Association, commented that, “IA company members who maintained their Privacy Shield enrollment throughout the last few chaotic years are being rewarded with the ease of transitioning to this new program. These companies do not have to fully re-certify, but will need to take steps to update their compliance with the DPF.  Insights companies will find this self-certification to be a less-burdensome alternative to the standard contractual clauses (or to no option at all) for legal trans-Atlantic data transfers and we are eager to assist in navigating the required steps toward compliance.”

The insights industry has been waiting three years for the DPF, since the EU Court of Justice struck down the Privacy Shield agreement in 2020. Last year, the two sides agreed on basic principles and the U.S. nailed down new restrictions on government surveillance, paving the way for the final deal.

A company's self-certification of compliance through the U.S. Department of Commerce and appearance on the public Data Privacy Framework List maintained by Commerce demonstrates to European organizations and consumers a serious commitment on the part of the company to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse.

Those IA company/department members already self-certified under the Privacy Shield can immediately begin relying on the new framework for EU-U.S. data transfers as soon as they comply with the EU-U.S. DPF Principles, including by updating their privacy policies by October 17, 2023. Current Privacy Shield enrollees are instructed to “renew” their DPF self-certification prior to their established renewal date (under the old Privacy Shield program). Each company has its own renewal date.

IA company/department members already self-certified under the Swiss-U.S. Privacy Shield can update their privacy policies with the new program name but may not begin relying on the new framework for receiving personal data transfers until the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-U.S. DPF enters into force.

To add the UK Extension to the EU-U.S. DPF, both new applicants and IA company/department members already self-certified under the EU-U.S. Privacy Shield need to submit an updated application and cannot begin relying on the UK Extension to receive personal data transfers from the United Kingdom (and Gibraltar) before the United Kingdom’s anticipated adequacy regulations implementing the data bridge enters into force. Companies that wish to participate in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF.

IA members that withdrew from the IA Privacy Shield Program since July 2020 can enroll in the new IA DPF Services Program by submitting an application to the new framework and following the steps to self-certify. The Insights Association offers member companies the guidance they need to understand and meet participation requirements of Commerce’s DPF Program.

Enrolled companies are required to pay both the IA DPF Services Program fee and the Department of Commerce fee annually. Simply enrolling and submitting fees to Commerce does not constitute enrollment in the IA DPF program, as IA continues to serve as the Independent Recourse Mechanism (IRM) for all self-certifications. Dual enrollment with IA and Commerce is required for full enrollment in the program; anything less is considered partial enrollment and technically invalid.

Rich Berke, Vice President of Finance and Legal Affairs for HCD Research, spoke highly of the IA program, which is strictly for IA company members: "Participation in the DPF provides an additional measure of assurance that we are able to comply with personal data transfer requirements of the EU and Switzerland. Additionally, it enables us to better indicate that our policies and procedures for data transfer from the EU to the US are in compliance with the changes to the EU data privacy regulations. I’m very pleased to have the help that the Insights Association has provided. The benefits, especially for a smaller research organization, are significant."

Not yet part of the IA Data Privacy Framework program? Join today.

Bring your questions in the meantime to Juliana Wood.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.

About the Author

Howard Fienberg

Howard Fienberg

Based in Washington, DC, Howard is the Insights Association's lobbyist for the marketing research and data analytics industry, focusing primarily on consumer privacy and data security, the Telephone Consumer Protection Act (TCPA), tort reform, and the funding and integrity of the decennial Census and the American Community Survey (ACS). Howard has more than two decades of public policy experience. Before the Insights Association, he worked in Congress as senior legislative staffer for then-Representatives Christopher Cox (CA-48) and Cliff Stearns (FL-06). He also served more than four years with a science policy think tank, working to improve the understanding of scientific and social research and methodology among journalists and policymakers. Howard is also co-director of The Census Project, a 900+ member coalition in support of a fair and accurate Census and ACS. He has also served previously on the Board of Directors for the National Institute for Lobbying and Ethics and and the Association of Government Relations Professionals. Howard has an MA International Relations from the University of Essex in England and a BA Honors Political Studies from Trent University in Canada, and has obtained the Certified Association Executive (CAE), Professional Lobbying Certificate (PLC) and the Public Policy Certificate (PPC). When not running advocacy for the Insights Association, Howard enjoys hockey, NFL football, sci-fi and horror movies, playing with his dog, and spending time with family and friends.

Related

California A.B. 3048 Would Require Compliance with Opt Out Preference Signals

California A.B. 3048 Would Require Compliance with Opt Out Preference Signals

California A.B. 3048 would allow consumers the ability to exercise their privacy preferences through...

Read More >
Kids Online Safety Act - KOSA - S. 1409 and H.R. 7891

Kids Online Safety Act - KOSA - S. 1409 and H.R. 7891

The Kids Online Safety Act (KOSA) (S. 1409 and H.R. 7891) would restrict the design and operations o...

Read More >
American Privacy Rights Act - 2024 Federal Privacy Legislation from Sen. Cantwell and Rep. McMorris Rodgers

American Privacy Rights Act - 2024 Federal Privacy Legislation from Sen. Cantwell and Rep. McMorris Rodgers

​​​​​​​The chairs of the U.S. Senate Commerce Committee and House Energy & Commerce Committee...

Read More >
IA Reacts to New Comprehensive U.S. Privacy Legislation - the American Privacy Rights Act

IA Reacts to New Comprehensive U.S. Privacy Legislation - the American Privacy Rights Act

​​​​​​​The Insights Association (IA), the leading nonprofit trade association for the market ...

Read More >
California A.B. 3124 Would Require Customer Data Retention by Sellers of Consumer Information

California A.B. 3124 Would Require Customer Data Retention by Sellers of Consumer Information

California A.B. 3124 would prohibit certain covered personal data from being make publicly available...

Read More >
Utah Artificial Intelligence Policy Act Signed into Law

Utah Artificial Intelligence Policy Act Signed into Law

The Utah Artificial Intelligence Policy Act (S.B. 149) was signed into law, requiring companies and ...

Read More >
Members only Article - Please login to view