Q. My company is currently enrolled in the IA EU-U.S. and/or Swiss-U.S. Privacy Shield Program. What is the process to transition to the updated IA Data Privacy Framework Services Program?
A. Those U.S. organizations already self-certified under the Privacy Shield can immediately begin relying on the new framework for EU-U.S. data transfers as soon as they update their privacy policies. The same is true for Swiss-U.S. transfers starting July 17, 2023.
Q. What is the timeframe for companies currently enrolled in Privacy Shield that transition to the updated DPF?
A. U.S. based organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles must comply with the EU-U.S. DPF Principles by updating their privacy policies by October 10, 2023.
Q. My company withdrew from the IA Privacy Shield Program during the period of its invalidation by the EU. How to I enroll my company in the new IA DPF Services Program?
A. If your company is still a member of IA and based in the U.S., will need to submit an application to the new framework and follow the steps to self-certify. This process is very similar to the process to self-certify to Privacy Shield.
Q. I learned that the new DPF has a UK component and I would like to add that to my company's self certification upon transition from Privacy Shield to the DPF Services Program. What steps should I follow?
A. If your company is currently enrolled in Privacy Shield and you have updated your policy to reflect the requirements of the DPF, starting July 17, 2023 you will need to apply for the UK Extension to the DPF for U.K.-U.S. data transfers. You cannot add the UK Extension to the EU-U.S. DPF without an updated Insights Association DPF Application.
All new IA DPF Services Program applicants will need to specifiy on their application whether they are self-certifying to the EU-U.S. DPF, the EU-U.S DPF with the UK Extension to the EU-U.S DPF, the Swiss-U.S DPF or all three. Organizations that wish to participate in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF.
*Note: Companies may not begin relying on the UK Extension to the EU-U.S. DPF to receive personal data transfers from the United Kingdom (and Gibraltar) before the date that the United Kingdom’s anticipated adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. As that date is announced, IA will communicate the information to current program participants and membership.
Q. My company is dual enrolled in the EU-U.S. and Swiss U.S. Privacy Shield Program. What are our responsibilities to transition to the DPF?
A. Organizations that self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles must comply with the Swiss-U.S. DPF Principles, including by updating their privacy policies by October 17, 2023. Those organizations do not need to make a separate, initial self-certification submission to participate in the Swiss-U.S. DPF.
*Note: Companies may not begin relying on the Swiss-U.S. DPF to receive personal data transfers from Switzerland until the date of entry into force of the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-U.S. DPF. As that date is announced, IA will communicate the information to current program participants and membership.
Q. What is the annual fee for the program?
A. The Annual Fee for IA's DPF Services Program is based on an organization's annual revenue:
Please note: The IA DPF Services Program is only open to IA corporate members. If you are unsure of your member status, or would like to learn more about IA Membership, click here.
Q. Does the fee cover our application process with the Department of Commerce as well, or is that handled separately?
A. Separately. You must register with the Department of Commerce in addition to enrolling in the Insights Association DPF Services Program. This is done by creating an online account at www.dataprivacyframework.gov. You must pay the DoC fee directly to Commerce and it is separate from the fee paid to the Insights Association for the dispute resolution services provided through the Insights Association DPF Services Program. Failure to pay both the IA application fee and the DoC fee will result in an incomplete self-certication status that could risk exposure should a data subject complaint arise.
Q. Once we begin the process through the Insights Association, how long does the review and certification typically take?
A. It typically takes the Insights Association between 2-3 days (depending on how quickly material is provided) to review your company's privacy policy. It will likely take 2-4 weeks, on average, to hear back from the DPF reviewer at the DoC working on your application and policy.
Q. What are the steps involved to be accepted into the Insights Association DPF Services Program?
A. You will have to:
- Be a company member of the Insights Association (or have applied and have no apparent obstacles to membership)
- Submit the application to the Insights Association DPF Services Program found here
- Ensure that all relevant privacy policies are in compliance with the Framework(s) – There are a couple ways we can do this - we will send you a checklist and/or you send to us all relevant privacy policies for review and they will be returned with necessary changes indicated.
- Once your privacy policies are approved and you are accepted into our program you go on to www.dataprivacyframework.gov and register. The DoC will review your posted policies and check with the Insights Association to confirm your participation. If all is in order they will register you.
Q. Are there any other fees involved?
A. Yes. It is the member company’s responsibility to pay into the Arbitral Fund. This fee is outside of the Insights Association annual program fee. More information, and the payment portal, can be found here: https://go.adr.org/dpf_irm.html.
Q. If my company receives a complaint from an EU or Swiss citizen, how to do I navigate the complaint process?
A. First, contact Juliana Wood for guidance on your specific situation. Next, review the info on IA's Information for EU/Swiss Citizens to file a complaint page. Within that page there is an embedded link that will take you to the DPF complaint page, which contains additional information. Each case will be different, and the good news is that market research and insights companies have had zero formal complaints from overseas data subjects in the 5+ years since the GDPR went into effect.
Q. Are there consequences to making false claims of participating in the DPF?
A. The DoC will monitor any false claims of EU-U.S. DPF participation or the improper use of the EU-U.S. DPF certification mark. In particular, the DoC will on an ongoing basis verify that organisations that
(i) withdraw from participation in the EU-U.S. DPF,
(ii) fail to complete the annual re-certification (i.e. either started, but failed to complete the annual re-certification process in a timely manner or did not even start the annual re-certification process),
(iii) are removed as a participant, notably for “persistent failure to comply,” or
(iv) fail to complete an initial certification (i.e. started, but failed to complete the initial certification process in a timely manner), remove from any relevant published privacy policy references to the EU-U.S. DPF that imply that the organisation actively participates in the Framework.
The DoC will also conduct internet searches to identify references to the EU-U.S. DPF in organisations’ privacy policies, including to identify false claims by organisations that never participated in the EU-U.S. DPF. Where the DoC finds that references to the EU-U.S. DPF have not been removed or are improperly used, it will inform the organisation about a possible referral to the FTC/DoT. If an organisation fails to respond satisfactorily, the DoC will refer the matter to the relevant agency for potential enforcement action or other relevant U.S. enforcement authorities.
Beyond those annual fees, the only additional fees would arise if you receive a complaint that persists to the arbitration stage.
For any other questions not represented here, please contact Juliana Wood, IA's DPF Services Program manager.