Ring in the New Year with Data Privacy Framework

Dec 19, 2023 by Dr. Divya Sridhar, Director, Privacy Initiatives, BBB National Programs

In recent weeks, major events surrounding digital data flows have swept the globe, predicting an exciting set of organizational priorities and new beginnings for companies in the coming year. 

In the last few weeks, a provisional deal has been reached on the EU AI Act, with some aspects focusing on self-regulation, whereas earlier the language had entirely focused on a risk-based approach. The European Commission’s Didier Reynders has made public comments about broader digital data flows and expectations to build stronger adequacy partnerships (perhaps even with California?!) going into 2024. And, the UK may be working to build a “more sustainable, multilateral, universal solution,” though it has forged some existing partnerships as an associate member of the global Cross Border Privacy Rules (CBPR) in addition to its existing digital bridge with the United States and other countries. 

Even with all of this regulatory action, data from IAPP and EY's Privacy Governance Report shows that some companies have hit pause on making international and transatlantic data flows a priority over the past year. In 2023, the tech and telecom sectors found international data transfers to be their second highest priority, losing its place only to AI governance, for strategic data privacy priorities. The largest companies, especially in the billion-dollar revenue range, were most likely to find international transfers a “top 5” strategic privacy priority, while smaller companies did not.

With so much change, and competing priorities around how to align data privacy and AI workstreams, how should companies develop their strategic approach for 2024?

Hint: Start with proven solutions that already exist. 

Some companies – especially smaller ones –  struggled in the latter half of 2023 to make the transition to the new Data Privacy Framework (DPF) Program launched by the Department of Commerce in July 2023 to replace Privacy Shield. The launch was quick after a long wait, and there was an initial lack of information surrounding the DPF Program launch.

But as we ring in the new year, that trend is beginning to flip. DPF has been vetted, the fears of a third Schrems have been quieted, the Swiss and U.K. extensions are live, and the information that companies need to engage in the program is available. Businesses of all sizes are signing up for the DPF Program and here are some reasons why.

 

Compliance overlap means efficiency and cost-savings. 

There is a clear overlap between various global regulations, including the GDPR, the DPF Program, the EU AI Act, and other regulations focused on data privacy and AI within the United States. BBB National Programs calculated the overlap between CBPRs and the DPF Program to be 70%. Adopting the DPF Framework gets companies that much closer to compliance with other global regulations and laws.

 

Companies, especially small businesses, know that they will gain from strengthened data flows, economically and competitively.

The OECD provides evidence that the presence of digital flows can help small businesses “reduce export costs by 82 percent and transaction times by 29 percent,” making processes more streamlined, efficient, and effective – saving businesses time, energy, and resources. In addition, the presence of cross-border connectivity can increase sales for small businesses “by 15–40 percent and hire between 10–50 new employees each.”

Small businesses with a strong digital presence “grow twice as fast,” making the case that smaller companies can get an added return on their digital data flows investment.

Companies that self-certify their compliance with DPF are no longer required to use standard contractual clauses (SCCs) or to conduct expensive Transfer Risk Assessments (TRAs), significantly reducing the time and money spent on outside counsel, consulting, and auditing services that would otherwise be a prerequisite to transferring data between jurisdictions.

 

Prioritized data flows strengthen other strategic workstreams. 

Companies leveraging AI in business processes can more effectively address AI and data privacy regulations, best practices, and considerations if they are DPF Program-certified. Technology will continue to change, advance, and grow, but the DPF Program will help companies ensure their data protection lens remains robust and at the same time flexible to accommodate change.

Companies not certified are likely to violate impending privacy laws taking effect across the globe, from U.S. laws, to GDPR, and the UK digital bridge.

 

Brand and reputation: DPF Program participation signals a good actor in the marketplace.

The Biden Administration Executive Order places tremendous focus on the public and private sector taking solid steps toward accountability on AI and data privacy, while incorporating a global lens. Companies must demonstrate, now more than ever, that they are being vigilant in recognizing the appropriate legal and regulatory landscape, leveraging cutting-edge practices like privacy by design, consumer subject access requests, automated decision-making, and more. 

The cost of noncompliance could result in serious enforcement action and monetary penalties, as well as damage to brand reputation, signaling to consumers that companies are not responsible actors on data privacy or emerging technologies.

 

Time is up! Enforcement deadlines have taken effect.

Regulators are vigilantly looking at violations of the DPF Program. As companies self-certify and publicly commit to comply with the DPF Principles, their commitments are enforceable under U.S. law. 

Companies not in compliance with the new DPF Program framework must withdraw; staying put under the old framework, Privacy Shield, is considered not in compliance, as well as possible fraud and deception.

 

Low-cost help, in the form of Independent Recourse Mechanisms (IRMs), is available. 

According to the US Department of Commerce, as of 2023, transatlantic data flows are estimated to underpin more than $1 trillion in trade and investment annually between the U.S. and EU. Notably, global data flows now contribute more to global growth than global trade in goods. 

If you are a multinational business or interacting with clients, service providers, or contractors in the EU, your business is likely processing data of EU consumers. Companies have realized they can remove the headache of managing the process by leveraging a third-party accountability agent, such as BBB National Programs, to do the heavy lifting.

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more