In the past couple of years, I’ve written about specific state and European Internet privacy laws in places like Virginia, Tennessee, California, and Europe and how each impacts U.S.-based businesses. Compliance with Europe’s privacy law, the GDPR, has proven particularly difficult for American companies. Recent developments may provide some relief – in July of this year, the new EU-US Data Privacy Framework (DPF) was promulgated. But the history of EU and US privacy law suggests that businesses should think twice before abandoning GDPR compliance for the DPF.
Privacy Shield And The GDPR
Before we dive into the specifics of DPF, businesses need to understand the history of the application of European privacy laws to American companies. Before 2020, American companies were able to comply with European law by participating in a voluntary legal framework called Privacy Shield. Privacy Shield provided some protections for Europeans’ personal data, but it was much less comprehensive and stringent than the GDPR.
But in July 2020, the Court of Justice of the European Union ruled in the Schrems II case and declared that Privacy Shield protections were insufficient for compliance with the GDPR – in effect, it canceled the Privacy Shield program. This is why American companies have been required to provide EU citizens and residents with a complete set of GDPR personal data protections and processes.
The DPF is intended to be the successor to Privacy Shield – its requirements are less strict than those of the GDPR; therefore, American companies processing personal data from the EU should have a much easier time complying with the DPF than with the GDPR.
What Does The DPF Do?
While the GDPR requires businesses to provide extensive notices and comply with onerous processes (for example, conducting a lengthy assessment before moving data from an EU country to a non-EU country), the DPF is a much simpler framework. It allows companies to avoid most, but not all, of the GDPR obligations if they satisfy the DPF requirements. The key requirements of the DPF are:
- The company’s publicly available privacy policy must include a declaration of commitment to the “DPF Principles” of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.
- Individuals whose data is being processed must be informed of their rights.
- The company must provide free and accessible dispute resolution.
- The company must cooperate with the U.S. Department of Commerce in responding to DPF inquiries and requests.
- The company must comply with the GDPR’s data collection, retention, and processing purpose limitation provisions.
- The company will remain responsible for data transferred to third parties, and its contracts with any such third party must include specific terms.
If a business certifies to the federal government that it complies with the DPF requirements, it will be allowed to transfer and process protected personal data without full GDPR compliance.
Should You Rely On It?
Because the DPF is much less stringent than the GDPR, many companies are eager to adopt its framework. But experts have urged caution. Data privacy advocates in Europe have already declared their intentions to challenge the DPF in court and they will likely win at least a partial victory. The key takeaway is to maintain full GDPR compliance and wait until the Court of Justice of the European Union issues a ruling on the DPF. While the complexities of GDPR compliance far exceed the scope of this blog post, there are four key steps you can take to promote GDPR compliance:
- Provide every protected person with a notice of their rights.
- Use only approved standard contractual clauses when providing data to third parties like contractors or service providers.
- Only process data for the purposes for which it was originally collected.
- Make and enforce a compliant data retention and deletion policy – keep data no longer than is necessary.
For more information on GDPR compliance, click here.
The attorneys at Venn Law Group have experience helping businesses determine which Internet privacy laws apply and how these laws impact their operations. To learn more about how Venn Law Group can help you develop compliant data processing practices and contracts that work for your business, please contact us here.
Edward B. Woodall is an attorney at Venn Law Group who works in corporate law and commercial real estate, including leasing, financing, taxation, business structures, and dispute resolution. He is passionate about helping business owners solve a variety of complex legal problems and has performed more than 100 hours of pro bono work. In addition to his law degree, he also has a background in history and Spanish.
Edward B. Woodall is an attorney at Venn Law Group who works in corporate law and commercial real estate, including leasing, financing, taxation, business structures, and dispute resolution. He is passionate about helping business owners solve a variety of complex legal problems and has performed more than 100 hours of pro bono work. In addition to his law degree, he also has a background in history and Spanish.