Listen to this post

Now that the EU has adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), many companies are assessing whether participation makes sense. Participation by a US entity is a mechanism -but not the only mechanism- for two parties (one EU and one US) to transfer personal data from the EU to the US. Other transfer methods include Binding Corporate Rules or Standard Contractual Clauses. As we wrote recently, when the EU determined that the program was “adequate,” it noted that the safeguards developed by the US for the DPF applied to all methods of transfer. In other words, for BCRs or SCCs.

Why, then, might a company want to participate? Especially if this program has a short life span, and ceases to receive EU approval, likes its predecessors (the Safe Harbor and Privacy Shield) programs? Reasons for participation include because the organization finds it is being pushed by EU contractual partners to participate. Or, negotiating hundreds of individual SCCs may be overly burdensome. There is no one-size-fits-all answer to whether participation makes sense. Companies will want to evaluate the program carefully, as participation goes beyond merely signing up on the Department of Commerce website.

As part of the evaluation process, it may be helpful to keep in mind the steps for participation, which include:

  1. Developing or updating individual rights and choice mechanisms: Program participants will need mechanisms to provide individuals with rights and to make choices. These include, as with US state laws, giving individuals the ability to make rights requests (access, correction and deletion). Participants must also give people the ability to opt-out of marketing, having their information shared with (non-agent) third parties, or used for a materially different purpose. Those collecting and using sensitive information (including, inter alia, health and ethnic origin information) must get consent if that information will be disclosed or used for a purpose other than that for which it was collected.
  2. Implementing a complaint handling process and selecting an independent recourse mechanism: DPF participants will need to put in place a process to handle consumer complaints. Like predecessor programs, they will have to give individuals the ability to lodge complaints with an independent recourse mechanism (third party) or by agreeing to cooperate with the relevant EU data protection authority.
  3. Developing or updating internal policies and procedures: The program is enforced on the US side by the Federal Trade Commission, under the unfairness and deception prong of the FTC Act. Participants are required to make certain disclosures about their compliance with the program, and the FTC will enforce those by examining whether the company has adhered to them (i.e., are not deceptive claims). Given this, companies will want to ensure they have undergone sufficient diligence to confirm compliance with their representations, and have correct policies and procedures in place to make sure they have ongoing compliance. These policies might include, for example, ones focused on security measures, consumer rights responses, and data integrity and purpose limitations.
  4. Adopting a verification process/adopt appropriate record keeping: Participants will need a method for verifying that they are complying with the program. This can be with an external verification body, or through self-verification. Part of the DPF’s verification requirement is that participants maintain records of how the DPF has been implemented.
  5. Updating privacy policies and related disclosures: DPF participants must include certain content in their privacy policies. This includes saying that the company is subject to FTC jurisdiction and liability in the event of onward transfers. (Other requirements will likely mirror content already in existing policies: the type of personal information collected and the types of entities to whom information is disclosed). Only after the earlier steps are taken will companies be in a position to update their external disclosures.
  6. Submitting the self-certification: DPF participants must not only address the items above, but also register with the Department of Commerce, submitting the required information, designating a point of contact, and paying the applicable fees. Those contemplating participation should keep in mind that there is an annual renewal as well.

Putting It Into Practice: As this list of steps makes clear, participation goes beyond merely modifying a privacy policy and submitting a form. Companies will have many steps to take, including potentially developing internal processes, conducting diligence, adopting new (or modifying existing) policies, implementing record keeping measures, and selecting and working with new (IRM and/or verification) vendors. Keeping these obligations in mind can help as companies are making decisions about whether the DPF is the right program for them.