The US government last month reached a deal with the European Union (EU) on protecting EU residents’ data privacy when their information flows to the United States.
The EU-US Data Privacy Framework (DPF) was announced by the European Commission and the US Department of Commerce as a replacement of the Safe Harbor Framework. Safe Harbor was invalidated by the European Union Court of Justice in 2015, creating confusion and an eight-year legal limbo for companies dealing with customer data.
The new DPF agreement contains three core elements:
- Strong obligations for companies’ handling of EU citizens’ data, which is much stricter in Europe due to strong consumer data privacy rights under the General Data Protection Regulation (GDPR).
- Specific safeguards and transparency rules for US government agency access, something that has caused tension between US tech companies and the US government.
- A new complaint resolution process for EU citizens. They can now lodge complaints about suspected unfair surveillance with their national regulators, who can bring the matter before a review panel of American judges.
Gain insight into the way Bob Evans builds and updates the Cloud Wars Top 10 ranking, as well as how C-suite executives use the list to inform strategic cloud purchase decisions. That’s available exclusively through the Acceleration Economy Cloud Wars Top 10 Course.
The Biden Administration, the European Union, data privacy advocates, and business leaders have been driving to get this agreement in place. The reason is simple: The ability to move consumer data between continents translates into billions of dollars in commerce, and an agreement could only happen with proper privacy protection measures.
European Commission President Ursula von der Leyen called the agreement “an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US and, at the same time, to reaffirm our shared values. It shows that we can address the most complex issues by working together.”
EU-US DPF: Critical to Transatlantic Business
The DPF is based on frameworks designed by the US Department of Commerce, the European Commission, and the Swiss Federal Administration to support transatlantic commerce. Business access to and use of customer data is essential in today’s digital economy. Behavioral data, personalization, product and promotional offers, and customer experience applications all rely on transferring and accessing real-time and historical data. Without an agreement and specific rules, thousands of companies in Europe and the United States have faced widespread uncertainty about their ability to conduct business between Europe and the United States.
Just as important, without an agreement in place, a company’s obligation to share European citizen data with US government agencies has been unclear. Meta, Google, AT&T, and other companies regularly complain that American intelligence agencies’ ability to access data under the Foreign Intelligence Surveillance Act amounts to overreach. For example, in May, Meta was fined $1.3 billion by EU regulators for sending data belonging to its platform’s EU users to the US.
How Businesses Can Join the DPF
For data and technology executives, it’s imperative to understand the significance of the DPF program and this data-sharing pact. The International Trade Administration (ITA) oversees and administers the program within the US Department of Commerce. To participate in the framework, a US-based organization must self-certify through the designated website and publicly pledge to adhere to the framework’s specific requirements. The Administration has also compiled resources and frequently asked questions on the program’s website.
Participation in the DPF program is voluntary. Once an eligible organization publicly complies with the framework’s requirements, this commitment becomes legally enforceable under US law. Therefore, it becomes vital for organizations to thoroughly review and understand the requirements of the DPF principles.
As usually happens with new regulations, this agreement will undoubtedly face legal challenges. The timing and consequences of these actions are uncertain at this time. Data legal experts and corporate privacy lawyers still recommend certifying or recertifying now to jump on the process, as significant revenue is at stake.