The European Commission announced this week their adoption of the EU-U.S. Data Privacy Framework (EU-U.S. DPF). The EU-U.S. DPF restores a critical regulatory basis for data flows between the EU and U.S., vacated when the Court of Justice of the European Union struck down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law. In this article, we explore what the EU-U.S. DPF entails, its principles, administration, oversight, and enforcement.
What Is the EU-U.S. Data Privacy Framework (EU-U.S. DPF)?
The EU-U.S. DPF is a framework by which U.S. organizations commit to a set of privacy principles to protect personal data transferred from the European Union to U.S. organizations.
The framework is provided for via an adequacy decision, one of the tools provided under the EU’s General Data Protection Regulation (GDPR) to transfer personally identifiable information (PII) from the EU to other countries that offer a comparable level of protection of personal data to that of the European Union.
For organizations to be eligible for EU-U.S. DPF certification, they must agree to be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT). The EU-U.S. Data Privacy Framework Principles apply immediately upon certification of an organization. EU-U.S. DPF-listed organizations are required to recertify their adherence to the principles annually.
What Does the EU-U.S. DPF Seek to Protect?
The EU-U.S. DPF offers protection to any personal data transferred from the EU to organizations in the U.S. that have certified their adherence to the framework’s principles, issued by the Department of Commerce. Personally identifiable information such as names, email addresses, phone numbers, etc., are usually transferred from the EU to the U.S. by organizations such as Amazon, Meta (Facebook, Instagram, etc.), and Apple, among others, which are all headquartered in the U.S.
However, the framework exempts data that is collected for publication, broadcast, or other forms of public communication of journalistic material and information in previously published material disseminated from media archives.
Data Controllers and Data Processors Under EU-U.S. DPF
The EU-U.S. DPF applies to organizations in the U.S. that qualify as data controllers or data processors. The framework defines a data controller as a person or organization that, alone or jointly with others, determines the purposes and means of the processing of personal data. It defines data processors as agents acting on behalf of a controller.
Data processing under the EU-U.S. DPF is defined as any operation or set of operations that are performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
The framework states that U.S. processors are contractually bound to act only on instructions from an EU controller and assist them in responding to individuals exercising their rights under the principles of the framework. In the case of sub-processing, a processor must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the principles of the framework and take steps to ensure its proper implementation.
EU-U.S. Data Privacy Framework Principles
The EU-U.S. DPF principles are essentially requirements and rights for data subjects (i.e., EU citizens and residents) whose personal information is processed by controllers subject to this framework. Principles include:
Purpose Limitation and Choice Principle Ensures Data Is Processed Lawfully
One of the key provisions outlined in the EU-U.S. DPF, this principle stipulates that any PII must be processed in a lawful and fair manner. It dictates that such data should be gathered for a clearly defined purpose and should not be further used in a way that contradicts this original intention. Essentially, an organization cannot repurpose personal data in a manner that deviates from its original or subsequently sanctioned purpose, as agreed upon by the individual whose data is in question.
Moreover, the principle of choice demands that, should an organization wish to use PII for a new purpose, even if this purpose is still in line with the original one, or share it with a third party, the individual who can be identified by the PII must be given the opportunity to refuse the use of the PII for this new purpose. This refusal, or opt-out, should be facilitated through a straightforward and easily accessible method.
Special Categories of Personal Data Must Be Processed With Extreme Care
This principle essentially highlights the need for special precautions when it comes to handling and processing “sensitive information.” This term, as defined by the framework, includes personal data that provides details about an individual’s health status, racial or ethnic origin, political opinions, beliefs, trade union memberships, or any other information that’s categorized as sensitive by a third party.
The principle mandates that certified organizations under the EU-U.S. DPF treat any data classified as sensitive under European Union data protection law with the same level of sensitivity. In essence, organizations must obtain explicit permission—an “opt-in”—from individuals to use their sensitive information for purposes beyond those originally collected for or subsequently authorized by the person in question. Exceptions to this rule are only allowed in certain circumstances, such as when this sensitive data processing is crucial for legal claims, medical care, diagnosis, or when it’s in a person’s vital interest, in line with the exceptions already established under EU data protection law.
Data Accuracy, Minimization, and Security Keeps Data Confidential and Only for as Long as It’s Needed
This principle underscores the importance of precision, relevance, and security in data management. The principle mandates that data must be not only current and correct but also specific and proportionate to its intended purpose. In addition, the data should not be retained beyond the period required for its intended use. As with the data integrity and purpose limitation principle, the data accuracy, minimization, and security principle reinforces the critical need to restrict data to what is relevant for the processing purpose, while ensuring that the data is complete, accurate, and reliable.
With regard to the retention of personal data, the framework stipulates that PII can be stored in an identifiable manner only as long as it is necessary for the purpose initially established or subsequently authorized by the involved individual. Exceptions to this include specific purposes like public interest archiving and statistical analysis, provided that adequate safeguards are in place.
This principle also emphasizes the importance of security, steering organizations to implement measures to protect data from unauthorized access or accidental loss or damage, considering the associated risks and nature of data processing. The security principle thereby reinforces maintaining a reasonable and appropriate level of data security.
Transparency Principle Underscores the Need for Up-front Notification to Data Subjects
The transparency principle requires that data subjects should be informed of the main features of the processing of their personal data. This principle requires organizations to inform data subjects about:
- The participation of the organization in the DPF
- The type of data collected
- The purpose of the processing
- The type or identity of third parties to which personal data may be disclosed and the purposes for doing so
- Their individual rights
- How to contact the organization
- Available redress avenues
This principle underscores the need for up-front notification to data subjects, which should be given when they are first asked for their personal data or as soon as feasible. It also stipulates that data subjects be notified before their data is used for any significantly different (but compatible) purpose than the one it was originally collected for, or before it is shared with a third party.
Moreover, organizations are required to publicly disclose their privacy policies that demonstrate adherence to these. They should also include links to the Department of Commerce’s website for additional information on certification, data subjects’ rights, available recourse mechanisms, the Data Privacy Framework List of participating organizations, and the website of a suitable alternative dispute resolution provider.
Individual Rights Principle Gives Data Subjects Power Over Their Personal Data
Individual, or specifically data subject, rights can be asserted against those who control or process data. This principle includes the rights to access personal data, to object to the processing of this data, and to have any incorrect data rectified or erased.
“Access to data” means that individuals can request information from any organization on whether it is processing their personal data without needing to provide a reason. They also have a right to be informed about the types of personal data being processed, the purpose of the processing, and the entities to whom the PII is disclosed. Any access requests should be responded to in a timely manner.
Individuals have the right to have their data corrected or deleted if it is inaccurate or has been processed in violation of the agreed principles. They can also object to the use of their data for purposes that are substantially different from the original intent, and to the sharing of their data with third parties. They also have the right to opt out of their personal data being used for direct marketing at any point.
Restrictions on Onward Transfers
The level of protection afforded to personal data transferred from the European Union to organizations in the United States must not be undermined by the further transfer of such data to a recipient in the United States or another country. This principle provides that any onward transfer can only take place:
- For limited and specified purposes
- On the basis of a contract between the EU-U.S. DPF organization and the third party (or comparable arrangement within a corporate group)
- Only if that contract requires the third party to provide the same level of protection as the one guaranteed by the principles
Accountability Principle Ensures Organizations Demonstrate Compliance
The principle of accountability holds that organizations processing data are obligated to implement suitable technical and organizational measures to ensure full compliance with data protection duties. This includes demonstrable compliance particularly to the relevant regulatory authorities. Becoming certified under the EU-U.S. DPF is a voluntary choice, but once committed, the organization’s rigorous adherence to the framework’s principles becomes obligatory and legally binding. Moreover, these organizations should establish robust mechanisms for ensuring their compliance with these principles.
They are also expected to verify if their privacy policies align with the principles and confirm their execution. This can be achieved through self-assessment systems featuring internal procedures that mandate employee training on the execution of the organization’s privacy policies. Regular and objective reviews of compliance are also part of this process. Alternatively, external compliance reviews can also be carried out using methodologies such as auditing, random checks, or employing technology tools.
Administration, Oversight, and Enforcement of the EU-U.S. DPF
The EU-U.S. DPF will be administered and monitored by the U.S. Department of Commerce (DoC). The framework outlines various enforcement mechanisms that will be used to ensure compliance with the guidelines. Any breaches of these principles will be promptly addressed.
How Will Organizations Be Certified and Recertified?
For organizations to certify or recertify annually, they must publicly commit to abiding by the principles of the EU-U.S. DPF framework. This includes making privacy policies freely accessible and ensuring they are properly implemented. As part of the certification or recertification process, organizations must provide the DoC with:
- The name of the relevant organization
- A description of the purposes for which the organization will process personal data
- The personal data that will be covered by the certification
- The chosen verification method
- The relevant independent recourse mechanism
- The statutory body that has jurisdiction to enforce compliance with the principles
How Will Compliance With the EU-U.S. DPF Be Monitored?
Compliance with the principles of the EU-U.S. DPF will be continually monitored by the DoC. This will involve various measures including conducting random “spot checks” on selected organizations and specific ad hoc checks when potential compliance issues arise. The DoC will assess whether:
- Point(s) of contact for handling complaints and data subject requests are available and responsive
- The organization’s chosen independent dispute resolution mechanism is available to handle complaints
Identifying and Addressing False Claims of Participation
False claims of participation in the EU-U.S. DPF or misuse of the certification mark will be monitored by the DoC. This will be done both independently and based on grievances, such as those from Data Protection Authorities (DPAs). The DoC will continuously check whether organizations that have withdrawn from the EU-U.S. DPF failed to complete the initial certification or annual recertification, are removed as a participant, and have removed all references to the EU-U.S. DPF from their published privacy policies. The DoC will also conduct internet searches to check for any unlawful references to the EU-U.S. DPF in organizations’ privacy policies.
How Will the EU-U.S. DPF Be Enforced?
A separate supervisory body will primarily oversee the enforcement of the EU-U.S. Data Privacy Framework. This independent authority will be assigned the responsibility of vigilantly monitoring adherence to data protection regulations, as well as imposing penalties in the event of noncompliance. For this process to be effective, organizations within the EU-U.S. DPF must be answerable to competent U.S. regulatory bodies, primarily the Federal Trade Commission and the Department of Transportation. These U.S. authorities possess the crucial investigatory and enforcement powers necessary to guarantee full compliance with the principles of the framework.
Access and Use of Personal Data Transferred From the European Union by Public Authorities in the United States
Under the EU-U.S. Data Privacy Framework, handling of personal data transferred from the European Union by public authorities in the U.S. plays a crucial role in the provisions of the framework. The framework has provisions stating that certified U.S. organizations can process such data, which can be subsequently accessed for criminal law enforcement by U.S. federal prosecutors and investigators treating it the same as information procured from any U.S.-based organization, irrespective of a data subject’s nationality or place of residence.
Further, the data transferred from the EU to organizations under the EU-U.S. DPF can be collected by U.S. agencies for reasons related to national security, which operates under distinct legal provisions, with certain conditions and safeguards in place. Once personal data has been received by organizations located in the U.S., the intelligence agencies can access the data for security reasons, provided it is sanctioned by law, specifically under laws such as the Foreign Intelligence Surveillance Act (FISA) or other provisions that permit access via National Security Letters (NSL). Moreover, U.S. intelligence agencies reserve the right to collect personal data outside their jurisdiction, including data in transit between the EU and the U.S. This collection is primarily based on Executive Order 12333 (EO 12333).
Kiteworks Streamlines Compliance With the EU-U.S. Data Privacy Framework
Data privacy regulations require stringent control over the movement and processing of personal data. Organizations must, in response, demonstrate strict adherence or risk noncompliance, which can include financial penalties, litigation, customer loss, and brand erosion. The Kiteworks Private Content Network (PCN) addresses these data privacy challenges and, in turn, mitigates noncompliance risks. Kiteworks provides organizations the tools to unify, protect, control, and track the PII and other sensitive content they share with trusted third parties. With Kiteworks, organizations can see where PII is stored, who has access to it, and what they’re doing with it. This enables organizations to report, retrieve, return, or delete PII, ensuring adherence to the EU-U.S. Data Privacy Framework.
Kiteworks provides on-premises and private cloud deployments that adhere to data sovereignty requirements. End-to-end encryption for each communication channel (including email, web forms, file sharing, application programming interfaces [APIs], and managed file transfer [MFT]) ensures that sensitive data remains secure during transmission and at rest. Granular access controls allow organizations to precisely manage who can access specific data. Detailed audit logs and real-time monitoring capabilities enable organizations to demonstrate compliance with the EU-U.S. Data Privacy Framework and numerous other data privacy regulations and standards, including the General Data Protection Regulation (GDPR), the Information Security Registered Assessors Program (IRAP), the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), Cyber Essentials Plus, the International Organization for Standardization 27000 Standards (ISO 27001), and many more.
For more information on how the Kiteworks Private Content Network can help your organization comply with the EU-U.S. Data Privacy Framework, schedule a custom-tailored demo today.
Get email updates with our latest blogs news