Ring in the New Year with Data Privacy Framework

Dec 19, 2023 by Dr. Divya Sridhar, Director, Privacy Initiatives, BBB National Programs

In recent weeks, major events surrounding digital data flows have swept the globe, predicting an exciting set of organizational priorities and new beginnings for companies in the coming year. 

In the last few weeks, a provisional deal has been reached on the EU AI Act, with some aspects focusing on self-regulation, whereas earlier the language had entirely focused on a risk-based approach. The European Commission’s Didier Reynders has made public comments about broader digital data flows and expectations to build stronger adequacy partnerships (perhaps even with California?!) going into 2024. And, the UK may be working to build a “more sustainable, multilateral, universal solution,” though it has forged some existing partnerships as an associate member of the global Cross Border Privacy Rules (CBPR) in addition to its existing digital bridge with the United States and other countries. 

Even with all of this regulatory action, data from IAPP and EY's Privacy Governance Report shows that some companies have hit pause on making international and transatlantic data flows a priority over the past year. In 2023, the tech and telecom sectors found international data transfers to be their second highest priority, losing its place only to AI governance, for strategic data privacy priorities. The largest companies, especially in the billion-dollar revenue range, were most likely to find international transfers a “top 5” strategic privacy priority, while smaller companies did not.

With so much change, and competing priorities around how to align data privacy and AI workstreams, how should companies develop their strategic approach for 2024?

Hint: Start with proven solutions that already exist. 

Some companies – especially smaller ones –  struggled in the latter half of 2023 to make the transition to the new Data Privacy Framework (DPF) Program launched by the Department of Commerce in July 2023 to replace Privacy Shield. The launch was quick after a long wait, and there was an initial lack of information surrounding the DPF Program launch.

But as we ring in the new year, that trend is beginning to flip. DPF has been vetted, the fears of a third Schrems have been quieted, the Swiss and U.K. extensions are live, and the information that companies need to engage in the program is available. Businesses of all sizes are signing up for the DPF Program and here are some reasons why.

 

Compliance overlap means efficiency and cost-savings. 

There is a clear overlap between various global regulations, including the GDPR, the DPF Program, the EU AI Act, and other regulations focused on data privacy and AI within the United States. BBB National Programs calculated the overlap between CBPRs and the DPF Program to be 70%. Adopting the DPF Framework gets companies that much closer to compliance with other global regulations and laws.

 

Companies, especially small businesses, know that they will gain from strengthened data flows, economically and competitively.

The OECD provides evidence that the presence of digital flows can help small businesses “reduce export costs by 82 percent and transaction times by 29 percent,” making processes more streamlined, efficient, and effective – saving businesses time, energy, and resources. In addition, the presence of cross-border connectivity can increase sales for small businesses “by 15–40 percent and hire between 10–50 new employees each.”

Small businesses with a strong digital presence “grow twice as fast,” making the case that smaller companies can get an added return on their digital data flows investment.

Companies that self-certify their compliance with DPF are no longer required to use standard contractual clauses (SCCs) or to conduct expensive Transfer Risk Assessments (TRAs), significantly reducing the time and money spent on outside counsel, consulting, and auditing services that would otherwise be a prerequisite to transferring data between jurisdictions.

 

Prioritized data flows strengthen other strategic workstreams. 

Companies leveraging AI in business processes can more effectively address AI and data privacy regulations, best practices, and considerations if they are DPF Program-certified. Technology will continue to change, advance, and grow, but the DPF Program will help companies ensure their data protection lens remains robust and at the same time flexible to accommodate change.

Companies not certified are likely to violate impending privacy laws taking effect across the globe, from U.S. laws, to GDPR, and the UK digital bridge.

 

Brand and reputation: DPF Program participation signals a good actor in the marketplace.

The Biden Administration Executive Order places tremendous focus on the public and private sector taking solid steps toward accountability on AI and data privacy, while incorporating a global lens. Companies must demonstrate, now more than ever, that they are being vigilant in recognizing the appropriate legal and regulatory landscape, leveraging cutting-edge practices like privacy by design, consumer subject access requests, automated decision-making, and more. 

The cost of noncompliance could result in serious enforcement action and monetary penalties, as well as damage to brand reputation, signaling to consumers that companies are not responsible actors on data privacy or emerging technologies.

 

Time is up! Enforcement deadlines have taken effect.

Regulators are vigilantly looking at violations of the DPF Program. As companies self-certify and publicly commit to comply with the DPF Principles, their commitments are enforceable under U.S. law. 

Companies not in compliance with the new DPF Program framework must withdraw; staying put under the old framework, Privacy Shield, is considered not in compliance, as well as possible fraud and deception.

 

Low-cost help, in the form of Independent Recourse Mechanisms (IRMs), is available. 

According to the US Department of Commerce, as of 2023, transatlantic data flows are estimated to underpin more than $1 trillion in trade and investment annually between the U.S. and EU. Notably, global data flows now contribute more to global growth than global trade in goods. 

If you are a multinational business or interacting with clients, service providers, or contractors in the EU, your business is likely processing data of EU consumers. Companies have realized they can remove the headache of managing the process by leveraging a third-party accountability agent, such as BBB National Programs, to do the heavy lifting.

Suggested Articles

Blog

CFBAI and CCAI Publish the 2023 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the Children’s Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) 2023 Annual Report. The report notes excellent compliance by the 22 CFBAI participants and the six CCAI participants in 2023.
Read more
Blog

The Case for Teaching Industry Self-Regulation in Law, Business, and Public Policy Schools

Law schools, business schools, and public policy programs have a unique opportunity to shape the future of corporate behavior by teaching students the importance of soft law and independent industry self-regulation.
Read more
Blog

5 Missteps to Avoid When Applying or Recertifying to the DPF Program

Each year, participants in the DPF Program need to recertify with the Department of Commerce. To help companies navigate it, our Global Privacy Division has outlined five key recommendations to keep in mind to avoid common missteps with the process.
Read more
Blog

Sharing Holiday Cheer (but Not a Child’s Personal Information)

Not surprisingly, cell phones, connected toys, and toys advertised on social media top wish lists of kids everywhere. To help ensure your holiday shopping experiences are as safe as possible, the team at CARU put together some holiday tips.
Read more