Ring in the New Year with Data Privacy Framework

Dec 19, 2023 by Dr. Divya Sridhar, Director, Privacy Initiatives, BBB National Programs

In recent weeks, major events surrounding digital data flows have swept the globe, predicting an exciting set of organizational priorities and new beginnings for companies in the coming year. 

In the last few weeks, a provisional deal has been reached on the EU AI Act, with some aspects focusing on self-regulation, whereas earlier the language had entirely focused on a risk-based approach. The European Commission’s Didier Reynders has made public comments about broader digital data flows and expectations to build stronger adequacy partnerships (perhaps even with California?!) going into 2024. And, the UK may be working to build a “more sustainable, multilateral, universal solution,” though it has forged some existing partnerships as an associate member of the global Cross Border Privacy Rules (CBPR) in addition to its existing digital bridge with the United States and other countries. 

Even with all of this regulatory action, data from IAPP and EY's Privacy Governance Report shows that some companies have hit pause on making international and transatlantic data flows a priority over the past year. In 2023, the tech and telecom sectors found international data transfers to be their second highest priority, losing its place only to AI governance, for strategic data privacy priorities. The largest companies, especially in the billion-dollar revenue range, were most likely to find international transfers a “top 5” strategic privacy priority, while smaller companies did not.

With so much change, and competing priorities around how to align data privacy and AI workstreams, how should companies develop their strategic approach for 2024?

Hint: Start with proven solutions that already exist. 

Some companies – especially smaller ones –  struggled in the latter half of 2023 to make the transition to the new Data Privacy Framework (DPF) Program launched by the Department of Commerce in July 2023 to replace Privacy Shield. The launch was quick after a long wait, and there was an initial lack of information surrounding the DPF Program launch.

But as we ring in the new year, that trend is beginning to flip. DPF has been vetted, the fears of a third Schrems have been quieted, the Swiss and U.K. extensions are live, and the information that companies need to engage in the program is available. Businesses of all sizes are signing up for the DPF Program and here are some reasons why.

 

Compliance overlap means efficiency and cost-savings. 

There is a clear overlap between various global regulations, including the GDPR, the DPF Program, the EU AI Act, and other regulations focused on data privacy and AI within the United States. BBB National Programs calculated the overlap between CBPRs and the DPF Program to be 70%. Adopting the DPF Framework gets companies that much closer to compliance with other global regulations and laws.

 

Companies, especially small businesses, know that they will gain from strengthened data flows, economically and competitively.

The OECD provides evidence that the presence of digital flows can help small businesses “reduce export costs by 82 percent and transaction times by 29 percent,” making processes more streamlined, efficient, and effective – saving businesses time, energy, and resources. In addition, the presence of cross-border connectivity can increase sales for small businesses “by 15–40 percent and hire between 10–50 new employees each.”

Small businesses with a strong digital presence “grow twice as fast,” making the case that smaller companies can get an added return on their digital data flows investment.

Companies that self-certify their compliance with DPF are no longer required to use standard contractual clauses (SCCs) or to conduct expensive Transfer Risk Assessments (TRAs), significantly reducing the time and money spent on outside counsel, consulting, and auditing services that would otherwise be a prerequisite to transferring data between jurisdictions.

 

Prioritized data flows strengthen other strategic workstreams. 

Companies leveraging AI in business processes can more effectively address AI and data privacy regulations, best practices, and considerations if they are DPF Program-certified. Technology will continue to change, advance, and grow, but the DPF Program will help companies ensure their data protection lens remains robust and at the same time flexible to accommodate change.

Companies not certified are likely to violate impending privacy laws taking effect across the globe, from U.S. laws, to GDPR, and the UK digital bridge.

 

Brand and reputation: DPF Program participation signals a good actor in the marketplace.

The Biden Administration Executive Order places tremendous focus on the public and private sector taking solid steps toward accountability on AI and data privacy, while incorporating a global lens. Companies must demonstrate, now more than ever, that they are being vigilant in recognizing the appropriate legal and regulatory landscape, leveraging cutting-edge practices like privacy by design, consumer subject access requests, automated decision-making, and more. 

The cost of noncompliance could result in serious enforcement action and monetary penalties, as well as damage to brand reputation, signaling to consumers that companies are not responsible actors on data privacy or emerging technologies.

 

Time is up! Enforcement deadlines have taken effect.

Regulators are vigilantly looking at violations of the DPF Program. As companies self-certify and publicly commit to comply with the DPF Principles, their commitments are enforceable under U.S. law. 

Companies not in compliance with the new DPF Program framework must withdraw; staying put under the old framework, Privacy Shield, is considered not in compliance, as well as possible fraud and deception.

 

Low-cost help, in the form of Independent Recourse Mechanisms (IRMs), is available. 

According to the US Department of Commerce, as of 2023, transatlantic data flows are estimated to underpin more than $1 trillion in trade and investment annually between the U.S. and EU. Notably, global data flows now contribute more to global growth than global trade in goods. 

If you are a multinational business or interacting with clients, service providers, or contractors in the EU, your business is likely processing data of EU consumers. Companies have realized they can remove the headache of managing the process by leveraging a third-party accountability agent, such as BBB National Programs, to do the heavy lifting.

Suggested Articles

Blog

American Privacy Rights Act: A Primer for Business

Was it the recent series of natural phenomena that prompted Congress to move on a bipartisan, bicameral federal privacy bill? We can’t say with certainty, but we can outline for you what we believe to be, at first glance, the most compelling elements of the American Privacy Rights Act of 2024 (APRA).
Read more
Blog

Take Care of Your “Health-Lite” Claims

Some advertisers believe they can avoid scrutiny when making health-related claims by making their claim “softer.” But context is key. Health benefit claims must comply with the FTC’s Health Products Compliance Guidance. The substantiation bar is not lowered by changing the approach to the health-related claim.
Read more
Blog

Bullish but Cautionary: A Balanced Way to Approach the Impact of AI

Business and nonprofit leaders in the U.S. may not feel so weighty a responsibility in assessing the global impact of AI, but we must realize AI’s power to impact our organizations, our local economies, our sectors, and our nation.
Read more
Blog

New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows

President Biden closed February 2024 with an EO that signaled an important development for how the U.S. plans to position and guard itself from global adversaries, and speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader. Read our takeaways and future considerations.
Read more