E.U. and U.S. Have Agreed to A New Data Privacy Framework - What’s Old is New Again
Privacy Plus+
Privacy, Technology and Perspective
E.U. and U.S. Have Agreed to A New Data Privacy Framework - What’s Old is New Again. This week, let’s explore the new Data Privacy Framework self-certification procedure which the U.S. Commerce Department has established as a way for U.S. companies to comply with the E.U. Data Privacy Principles.
Historical Context: The transatlantic relationship between the U.S. and the E.U. concerning data transfers has been a complex and contentious topic. Fundamental differences in how both jurisdictions perceive and handle data privacy have resulted in numerous challenges. We have written on this topic before, and you can review one of those posts by clicking on the following link to our post entitled, “E.U.-U.S. Digital Divide”:
https://www.hoschmorris.com/privacy-plus-news/the-eu-us-digital-divide
Generally, the E.U. imposes rigorous controls over the transfer of Europeans’ personal data to countries outside the E.U. For about two years after the inception of GDPR in 2018, U.S. companies could lawfully transfer Europeans’ personal data to the U.S. by “self-certifying” their adherence to the “Privacy Shield” requirements.
Over a thousand U.S. companies “self-certified” to the Privacy Shield, including a number of law firms. However, this process was abruptly halted in July 2020, when the European Court of Justice invalidated the Privacy Shield, finding that it was inadequate to provide the requisite protection for personal data regulated under the GDPR.
Negotiations then recommenced, culminating in late 2022 with the announcement of an agreement on a new “Data Privacy Framework” between the U.S. and the EEA (the “European Economic Area,” comprised of the EU plus Iceland, Lichtenstein and Norway). (Corresponding “extension” agreements with the UK and Switzerland are expected once government approvals are confirmed.)
The new “Data Privacy Framework.” The new Data Privacy Framework largely follows the old Privacy Shield requirements, but is stricter in a number of areas that are important to Europe, particularly regarding the U.S. intelligence community. Companies will again be allowed to “self-certify,” providing information about their privacy practices, the individuals responsible for them, and independent recourse mechanisms available to investigate complaints (including optional arbitration before the AAA), but must agree to binding commitments to compliance with European data protection law (such as following the “advice” of European data-protection authorities).
Detailed Requirements. Because the new Data Privacy Framework must satisfy European regulators and privacy activists, it is very detailed, with seven “Principles” and sixteen “Supplemental Principles” (and an “Arbitral Model”). Each has its own subset of requirements and expectations. For an overview of the Principles, see the following:
U.S. Commerce Department Website: To assist in this process, the Commerce Department has recently opened a new website with detailed explanations and instructions. We highly recommend it. You can see it by clicking on the following:
https://www.dataprivacyframework.gov/s/
Our Thoughts: A company’s “self-certification” will not take effect until it has been confirmed by the Commerce Department and published on the list of self-certifying companies. That list will be available to the public, as well as to regulators on both sides of the Atlantic. In the old “Privacy Shield” days, we noticed a number of companies (including law firms) who “self-certified” that they were in compliance, but a cursory glance at their Privacy Notices revealed they weren’t. To that end, we think that now would be a good time for those companies (and firms) to review their Privacy Notices, and check for their accuracy and compliance with the new Data Privacy Framework. (Everyone will have to do that anyway as part of the new self-certification process.)
One reason the Privacy Shield failed was a sense that any enforcement was “toothless.” The Data Privacy Framework is an attempt to correct that. Just as failing to comply with one’s own Privacy Notice may be an “unfair or deceptive act or practice” under the FTC Act, so would “self-certifying” to a mirage of compliance with the Data Privacy Framework – but this time, more people are watching.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.