US and EU Regulators Approve New Data Privacy FrameworkAugust 2, 2023 – Data Privacy Alert
In July 2020, the European Union’s Court of Justice invalidated the existing EU-US Privacy Shield program, under which Personally Identifiable Information (“PII”) of EU residents could legally be shared with parties in the US under the EU’s strict General Data Protection Rule (“GDPR”) pursuant to a “safe-harbor” certification process through the US Department of Commerce. The impetus for that ruling was Edward Snowden’s revelations about the US government’s intelligence-gathering practices.
Now, after several years of negotiation, on July 10, 2023, the EU Commission issued an adequacy decision, which formally approved a new safe harbor GDPR data sharing protocol that recently was agreed upon by the US and EU, called the EU-US Data Privacy Framework (“DPF”). This should now significantly ease the burden for US companies with significant interaction with EU residents to obtain and process their PII, especially for e-commerce and social media services.
The US Department of Commerce’s International Trade Administration (“ITA”) has now released detailed instructions on how US companies can self-certify their compliance with the new DPF. Please click here to view these instructions. An organization must initially self-certify and then annually re-certify to the ITA that it adheres to the DPF Principles, including certain Supplemental Principles that contain a detailed set of requirements. An organization will be able to receive PII under the DPF program from the date the ITA places the organization on the Data Privacy Framework List. Organizations can only be placed on the DPF List after the ITA determines that the organization’s initial self-certification submission is complete. An organization will be removed from the DPF list if it voluntarily withdraws, fails to complete its annual re-certification, or is found to have persistently failed to comply with the DPF Principles.
Only US legal entities subject to the jurisdiction of the Federal Trade Commission (“FTC”), or the US Department of Transportation (“DOT”), are eligible to participate in the DPF program. However, this covers most active US companies engaging in any form of US interstate or foreign commerce. The FTC, in particular, has very broad jurisdiction that covers “the organization, business, conduct, practices, and management of any person, partnership, or corporation engaged in or whose business affects commerce...” For reference, here is A Brief Overview of the FTC's Investigative, Law Enforcement, and Rulemaking Authority.
For more information, please contact Barry Werbin at [email protected].
© 2023 Herrick, Feinstein LLP. This alert is provided by Herrick, Feinstein LLP to keep its clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The information is not intended as legal advice or legal opinion and should not be construed as such.