Ring in the New Year with Data Privacy Framework

Dec 19, 2023 by Dr. Divya Sridhar, Director, Privacy Initiatives, BBB National Programs

In recent weeks, major events surrounding digital data flows have swept the globe, predicting an exciting set of organizational priorities and new beginnings for companies in the coming year. 

In the last few weeks, a provisional deal has been reached on the EU AI Act, with some aspects focusing on self-regulation, whereas earlier the language had entirely focused on a risk-based approach. The European Commission’s Didier Reynders has made public comments about broader digital data flows and expectations to build stronger adequacy partnerships (perhaps even with California?!) going into 2024. And, the UK may be working to build a “more sustainable, multilateral, universal solution,” though it has forged some existing partnerships as an associate member of the global Cross Border Privacy Rules (CBPR) in addition to its existing digital bridge with the United States and other countries. 

Even with all of this regulatory action, data from IAPP and EY's Privacy Governance Report shows that some companies have hit pause on making international and transatlantic data flows a priority over the past year. In 2023, the tech and telecom sectors found international data transfers to be their second highest priority, losing its place only to AI governance, for strategic data privacy priorities. The largest companies, especially in the billion-dollar revenue range, were most likely to find international transfers a “top 5” strategic privacy priority, while smaller companies did not.

With so much change, and competing priorities around how to align data privacy and AI workstreams, how should companies develop their strategic approach for 2024?

Hint: Start with proven solutions that already exist. 

Some companies – especially smaller ones –  struggled in the latter half of 2023 to make the transition to the new Data Privacy Framework (DPF) Program launched by the Department of Commerce in July 2023 to replace Privacy Shield. The launch was quick after a long wait, and there was an initial lack of information surrounding the DPF Program launch.

But as we ring in the new year, that trend is beginning to flip. DPF has been vetted, the fears of a third Schrems have been quieted, the Swiss and U.K. extensions are live, and the information that companies need to engage in the program is available. Businesses of all sizes are signing up for the DPF Program and here are some reasons why.

 

Compliance overlap means efficiency and cost-savings. 

There is a clear overlap between various global regulations, including the GDPR, the DPF Program, the EU AI Act, and other regulations focused on data privacy and AI within the United States. BBB National Programs calculated the overlap between CBPRs and the DPF Program to be 70%. Adopting the DPF Framework gets companies that much closer to compliance with other global regulations and laws.

 

Companies, especially small businesses, know that they will gain from strengthened data flows, economically and competitively.

The OECD provides evidence that the presence of digital flows can help small businesses “reduce export costs by 82 percent and transaction times by 29 percent,” making processes more streamlined, efficient, and effective – saving businesses time, energy, and resources. In addition, the presence of cross-border connectivity can increase sales for small businesses “by 15–40 percent and hire between 10–50 new employees each.”

Small businesses with a strong digital presence “grow twice as fast,” making the case that smaller companies can get an added return on their digital data flows investment.

Companies that self-certify their compliance with DPF are no longer required to use standard contractual clauses (SCCs) or to conduct expensive Transfer Risk Assessments (TRAs), significantly reducing the time and money spent on outside counsel, consulting, and auditing services that would otherwise be a prerequisite to transferring data between jurisdictions.

 

Prioritized data flows strengthen other strategic workstreams. 

Companies leveraging AI in business processes can more effectively address AI and data privacy regulations, best practices, and considerations if they are DPF Program-certified. Technology will continue to change, advance, and grow, but the DPF Program will help companies ensure their data protection lens remains robust and at the same time flexible to accommodate change.

Companies not certified are likely to violate impending privacy laws taking effect across the globe, from U.S. laws, to GDPR, and the UK digital bridge.

 

Brand and reputation: DPF Program participation signals a good actor in the marketplace.

The Biden Administration Executive Order places tremendous focus on the public and private sector taking solid steps toward accountability on AI and data privacy, while incorporating a global lens. Companies must demonstrate, now more than ever, that they are being vigilant in recognizing the appropriate legal and regulatory landscape, leveraging cutting-edge practices like privacy by design, consumer subject access requests, automated decision-making, and more. 

The cost of noncompliance could result in serious enforcement action and monetary penalties, as well as damage to brand reputation, signaling to consumers that companies are not responsible actors on data privacy or emerging technologies.

 

Time is up! Enforcement deadlines have taken effect.

Regulators are vigilantly looking at violations of the DPF Program. As companies self-certify and publicly commit to comply with the DPF Principles, their commitments are enforceable under U.S. law. 

Companies not in compliance with the new DPF Program framework must withdraw; staying put under the old framework, Privacy Shield, is considered not in compliance, as well as possible fraud and deception.

 

Low-cost help, in the form of Independent Recourse Mechanisms (IRMs), is available. 

According to the US Department of Commerce, as of 2023, transatlantic data flows are estimated to underpin more than $1 trillion in trade and investment annually between the U.S. and EU. Notably, global data flows now contribute more to global growth than global trade in goods. 

If you are a multinational business or interacting with clients, service providers, or contractors in the EU, your business is likely processing data of EU consumers. Companies have realized they can remove the headache of managing the process by leveraging a third-party accountability agent, such as BBB National Programs, to do the heavy lifting.

Suggested Articles

Blog

Getting Political and Going Digital: Analyzing Political Digital Advertising Compliance

When it comes to political advertising, are consumers getting an appropriate level of disclosure and meaningful notice? Are consumers aware of their choices for opting out of viewing the ads? Are stakeholders in the political advertising space compliant? The Digital Advertising Accountability Program is analyzing this year's political advertising trends.
Read more
Blog

Cohesive Governance of Cybersecurity and Data Privacy: A Value Proposition for Businesses

Happy Cybersecurity Awareness Month! With the convergence of laws and new regulations emerging in the data privacy and security space, there is increasing tension in how to govern data privacy and cybersecurity to ensure a cohesive, continued alignment. So where should companies focus: cybersecurity, privacy, or both?
Read more
Blog

Making Subscriptions Simple: FTC’s Click-to-Cancel Rule is a Win for Consumers

The FTC’s new Click-to-Cancel rule will likely guide businesses on offering subscriptions in ways that foster consumer trust. This rule is not just about canceling subscriptions; it impacts every stage of the subscription relationship between businesses and consumers. Read my top takeaways.
Read more
Blog

Privacy Compliance is Complicated and It Matters

As U.S.-based companies expand operations, understanding and complying with privacy laws becomes essential. Given the variation of privacy laws across different states and the globe, it is crucial for U.S. companies to stay informed.
Read more