A new program providing the U.S. insights industry legal certainty for trans-Atlantic data sharing is live, replacing the defunct Privacy Shield.
On July 10, 2023, the European Commission declared that, under the EU General Data Protection Regulation (GDPR), the new European Union – U.S. Data Privacy Framework (DPF) “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to [U.S.] companies under the new framework.”
The new DPF program went live on July 17.
Juliana Wood, Director of Certifications for the Insights Association, commented that, “IA company members who maintained their Privacy Shield enrollment throughout the last few chaotic years are being rewarded with the ease of transitioning to this new program. These companies do not have to fully re-certify, but will need to take steps to update their compliance with the DPF. Insights companies will find this self-certification to be a less-burdensome alternative to the standard contractual clauses (or to no option at all) for legal trans-Atlantic data transfers and we are eager to assist in navigating the required steps toward compliance.”
The insights industry has been waiting three years for the DPF, since the EU Court of Justice struck down the Privacy Shield agreement in 2020. Last year, the two sides agreed on basic principles and the U.S. nailed down new restrictions on government surveillance, paving the way for the final deal.
A company's self-certification of compliance through the U.S. Department of Commerce and appearance on the public Data Privacy Framework List maintained by Commerce demonstrates to European organizations and consumers a serious commitment on the part of the company to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse.
Those IA company/department members already self-certified under the Privacy Shield can immediately begin relying on the new framework for EU-U.S. data transfers as soon as they comply with the EU-U.S. DPF Principles, including by updating their privacy policies by October 17, 2023. Current Privacy Shield enrollees are instructed to “renew” their DPF self-certification prior to their established renewal date (under the old Privacy Shield program). Each company has its own renewal date.
IA company/department members already self-certified under the Swiss-U.S. Privacy Shield can update their privacy policies with the new program name but may not begin relying on the new framework for receiving personal data transfers until the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-U.S. DPF enters into force.
To add the UK Extension to the EU-U.S. DPF, both new applicants and IA company/department members already self-certified under the EU-U.S. Privacy Shield need to submit an updated application and cannot begin relying on the UK Extension to receive personal data transfers from the United Kingdom (and Gibraltar) before the United Kingdom’s anticipated adequacy regulations implementing the data bridge enters into force. Companies that wish to participate in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF.
IA members that withdrew from the IA Privacy Shield Program since July 2020 can enroll in the new IA DPF Services Program by submitting an application to the new framework and following the steps to self-certify. The Insights Association offers member companies the guidance they need to understand and meet participation requirements of Commerce’s DPF Program.
Enrolled companies are required to pay both the IA DPF Services Program fee and the Department of Commerce fee annually. Simply enrolling and submitting fees to Commerce does not constitute enrollment in the IA DPF program, as IA continues to serve as the Independent Recourse Mechanism (IRM) for all self-certifications. Dual enrollment with IA and Commerce is required for full enrollment in the program; anything less is considered partial enrollment and technically invalid.
Rich Berke, Vice President of Finance and Legal Affairs for HCD Research, spoke highly of the IA program, which is strictly for IA company members: "Participation in the DPF provides an additional measure of assurance that we are able to comply with personal data transfer requirements of the EU and Switzerland. Additionally, it enables us to better indicate that our policies and procedures for data transfer from the EU to the US are in compliance with the changes to the EU data privacy regulations. I’m very pleased to have the help that the Insights Association has provided. The benefits, especially for a smaller research organization, are significant."
Not yet part of the IA Data Privacy Framework program? Join today.
Bring your questions in the meantime to Juliana Wood.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.