US and EU Regulators Approve New Data Privacy Framework

In July 2020, the European Union’s Court of Justice invalidated the existing EU-US Privacy Shield program, under which Personally Identifiable Information (“PII”) of EU residents could legally be shared with parties in the US under the EU’s strict General Data Protection Rule (“GDPR”) pursuant to a “safe-harbor” certification process through the US Department of Commerce. The impetus for that ruling was Edward Snowden’s revelations about the US government’s intelligence-gathering practices.

Since then, US companies operating e-commerce and other interactive sites that obtain PII from EU residents have had to fully comply with complex GDPR “standard contractual clauses,” privacy policy disclosures and related legal requirements respecting the receipt, processing, storage and sharing of such data.

Now, after several years of negotiation, on July 10, 2023, the EU Commission issued an adequacy decision, which formally approved a new safe harbor GDPR data sharing protocol that recently was agreed upon by the US and EU, called the EU-US Data Privacy Framework (“DPF”). This should now significantly ease the burden for US companies with significant interaction with EU residents to obtain and process their PII, especially for e-commerce and social media services.

The US Department of Commerce’s International Trade Administration (“ITA”) has now released detailed instructions on how US companies can self-certify their compliance with the new DPF. Please click here to view these instructions. An organization must initially self-certify and then annually re-certify to the ITA that it adheres to the DPF Principles, including certain Supplemental Principles that contain a detailed set of requirements. An organization will be able to receive PII under the DPF program from the date the ITA places the organization on the Data Privacy Framework List. Organizations can only be placed on the DPF List after the ITA determines that the organization’s initial self-certification submission is complete. An organization will be removed from the DPF list if it voluntarily withdraws, fails to complete its annual re-certification, or is found to have persistently failed to comply with the DPF Principles.

Only US legal entities subject to the jurisdiction of the Federal Trade Commission (“FTC”), or the US Department of Transportation (“DOT”), are eligible to participate in the DPF program. However, this covers most active US companies engaging in any form of US interstate or foreign commerce. The FTC, in particular, has very broad jurisdiction that covers “the organization, business, conduct, practices, and management of any person, partnership, or corporation engaged in or whose business affects commerce...” For reference, here is A Brief Overview of the FTC's Investigative, Law Enforcement, and Rulemaking Authority.

Organizations seeking to self-certify must first develop DPF-compliant privacy policies that contain mandated notifications, which must be in clear and conspicuous language and disclosed when individuals are first asked to provide personal information to the organization, or as soon thereafter as is practicable. These disclosures include adding a link in the privacy policy to the DPF List, agreeing to adjudicate any disputes before an authorized independent dispute resolution body free of charge to the complaining individual, listing the types of PII collected and the purposes of such collection, committing to the DPF Principles, providing contact information, disclosing any third parties with whom PII is provided or shared, providing individuals a right to access their PII, describing the protocols in place for limiting the use and disclosure of PII, consenting to regulatory authority of the FTC, DOT or other US authorized regulatory bodies, and requiring disclosure of PII in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

---

For more information, please contact Barry Werbin at [email protected].

© 2023 Herrick, Feinstein LLP. This alert is provided by Herrick, Feinstein LLP to keep its clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The information is not intended as legal advice or legal opinion and should not be construed as such.