Ring in the New Year with Data Privacy Framework

Dec 19, 2023 by Dr. Divya Sridhar, Director, Privacy Initiatives, BBB National Programs

In recent weeks, major events surrounding digital data flows have swept the globe, predicting an exciting set of organizational priorities and new beginnings for companies in the coming year. 

In the last few weeks, a provisional deal has been reached on the EU AI Act, with some aspects focusing on self-regulation, whereas earlier the language had entirely focused on a risk-based approach. The European Commission’s Didier Reynders has made public comments about broader digital data flows and expectations to build stronger adequacy partnerships (perhaps even with California?!) going into 2024. And, the UK may be working to build a “more sustainable, multilateral, universal solution,” though it has forged some existing partnerships as an associate member of the global Cross Border Privacy Rules (CBPR) in addition to its existing digital bridge with the United States and other countries. 

Even with all of this regulatory action, data from IAPP and EY's Privacy Governance Report shows that some companies have hit pause on making international and transatlantic data flows a priority over the past year. In 2023, the tech and telecom sectors found international data transfers to be their second highest priority, losing its place only to AI governance, for strategic data privacy priorities. The largest companies, especially in the billion-dollar revenue range, were most likely to find international transfers a “top 5” strategic privacy priority, while smaller companies did not.

With so much change, and competing priorities around how to align data privacy and AI workstreams, how should companies develop their strategic approach for 2024?

Hint: Start with proven solutions that already exist. 

Some companies – especially smaller ones –  struggled in the latter half of 2023 to make the transition to the new Data Privacy Framework (DPF) Program launched by the Department of Commerce in July 2023 to replace Privacy Shield. The launch was quick after a long wait, and there was an initial lack of information surrounding the DPF Program launch.

But as we ring in the new year, that trend is beginning to flip. DPF has been vetted, the fears of a third Schrems have been quieted, the Swiss and U.K. extensions are live, and the information that companies need to engage in the program is available. Businesses of all sizes are signing up for the DPF Program and here are some reasons why.

 

Compliance overlap means efficiency and cost-savings. 

There is a clear overlap between various global regulations, including the GDPR, the DPF Program, the EU AI Act, and other regulations focused on data privacy and AI within the United States. BBB National Programs calculated the overlap between CBPRs and the DPF Program to be 70%. Adopting the DPF Framework gets companies that much closer to compliance with other global regulations and laws.

 

Companies, especially small businesses, know that they will gain from strengthened data flows, economically and competitively.

The OECD provides evidence that the presence of digital flows can help small businesses “reduce export costs by 82 percent and transaction times by 29 percent,” making processes more streamlined, efficient, and effective – saving businesses time, energy, and resources. In addition, the presence of cross-border connectivity can increase sales for small businesses “by 15–40 percent and hire between 10–50 new employees each.”

Small businesses with a strong digital presence “grow twice as fast,” making the case that smaller companies can get an added return on their digital data flows investment.

Companies that self-certify their compliance with DPF are no longer required to use standard contractual clauses (SCCs) or to conduct expensive Transfer Risk Assessments (TRAs), significantly reducing the time and money spent on outside counsel, consulting, and auditing services that would otherwise be a prerequisite to transferring data between jurisdictions.

 

Prioritized data flows strengthen other strategic workstreams. 

Companies leveraging AI in business processes can more effectively address AI and data privacy regulations, best practices, and considerations if they are DPF Program-certified. Technology will continue to change, advance, and grow, but the DPF Program will help companies ensure their data protection lens remains robust and at the same time flexible to accommodate change.

Companies not certified are likely to violate impending privacy laws taking effect across the globe, from U.S. laws, to GDPR, and the UK digital bridge.

 

Brand and reputation: DPF Program participation signals a good actor in the marketplace.

The Biden Administration Executive Order places tremendous focus on the public and private sector taking solid steps toward accountability on AI and data privacy, while incorporating a global lens. Companies must demonstrate, now more than ever, that they are being vigilant in recognizing the appropriate legal and regulatory landscape, leveraging cutting-edge practices like privacy by design, consumer subject access requests, automated decision-making, and more. 

The cost of noncompliance could result in serious enforcement action and monetary penalties, as well as damage to brand reputation, signaling to consumers that companies are not responsible actors on data privacy or emerging technologies.

 

Time is up! Enforcement deadlines have taken effect.

Regulators are vigilantly looking at violations of the DPF Program. As companies self-certify and publicly commit to comply with the DPF Principles, their commitments are enforceable under U.S. law. 

Companies not in compliance with the new DPF Program framework must withdraw; staying put under the old framework, Privacy Shield, is considered not in compliance, as well as possible fraud and deception.

 

Low-cost help, in the form of Independent Recourse Mechanisms (IRMs), is available. 

According to the US Department of Commerce, as of 2023, transatlantic data flows are estimated to underpin more than $1 trillion in trade and investment annually between the U.S. and EU. Notably, global data flows now contribute more to global growth than global trade in goods. 

If you are a multinational business or interacting with clients, service providers, or contractors in the EU, your business is likely processing data of EU consumers. Companies have realized they can remove the headache of managing the process by leveraging a third-party accountability agent, such as BBB National Programs, to do the heavy lifting.

Suggested Articles

Blog

How Will Customers Know They Can Trust Your Business?

When customers trust you, they are more likely to do business with you. It is well past time for business leaders to “galvanize around trust and transparency.” When it comes to enhancing consumer trust, responsible business and nonprofit organizations can – and must – lead the way.
Read more
Blog

What to Know About California’s Lemon Law

Buying a new car should be exciting, not stressful, but the fear of ending up with a “lemon” – a car that’s more trouble than it’s worth – is on the rise. While purchasing a car with unfixable defects is uncommon, it is important to know what to do if you face persistent issues and suspect your car is a lemon.
Read more
Blog

Warning: Use Caution with AI in the Children’s Space

Children are engaging with various forms of artificial intelligence (AI), a technology that can provide significant benefits that can be accompanied by a series of risks. The Children’s Advertising Review Unit compliance warning regarding the use of AI in practices directed to children reminds industry of its special responsibilities to children.
Read more
Blog

Continuing to Evolve: the 10s, 20s, and the Future of CARU

The confluence of social media, apps, and digital advertising in the 2010s and 2020s generated new issues that inspired multiple revisions to CARU's Guidelines as well as compliance warnings to address new platforms breaking onto the scene.
Read more