The ABCs of DPF and GDPR
Feb 7, 2024 by Victoria Akosile, Deputy Director, Privacy Operations, BBB National Programs
Like with most things in life, the third time is meant to be the charm. Or, at least, this seems to be the case as it concerns transatlantic data flows.
Superstitions aside, the newest approved data transfer mechanism between the EU and the U.S.—the EU-U.S. Data Privacy Framework (EU-U.S. DPF), as well as the newly implemented UK Extension—simplifies transatlantic data flows for U.S.-based companies of all sizes.
In addition to easing data flows across the Atlantic, the EU-U.S. DPF has the added benefit of satisfying requirements outlined under the General Data Protection Regulation (GDPR), which details specific conditions that need to be met when transferring the personal data of European individuals in the EU and the European Economic Area (Iceland, Lichenstein, and Norway, who are not member states of the EU).
And these are requirements that you will want to satisfy. GPDR violators face consequences of fines up to 20 million euros (just shy of $22 million USD) or 4% of worldwide revenue.
What is GDPR and who needs to comply?
GDPR is a law designed to govern data privacy and security for the European Union. Since it went into effect in 2018, GDPR compliance is mandatory for companies that process personal data in the EU and/or of EU citizens regardless of where the company is located. In other words, if your business is physically in the EU and processes data—even if it is not related to EU citizens—or processes the data of EU citizens, regardless of where your business is located, you fall under the scope.
A first-of-its-kind privacy law, its introduction came about due to one of the more recent flexes of extra-territorial application of a law. But now, GDPR is here to stay, recently celebrating its fifth anniversary.
How does the EU-U.S. DPF align with GPDR?
GDPR articles 44, 45, and 46 set the terms to transfer data to outside countries and international organizations. When taken collectively, these three articles establish the EU standards for transfers of data in and out of applicable jurisdictions. Article 45 specifically states:
“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.“
“Adequate” is the heavy-lifting adjective here, as it is the qualifier on assessing the third-country transfer.
The EU-U.S. DPF – a data transfer mechanism that is readily accessible to small and medium-sized enterprises as well as large multinational companies – is considered an adequate method for U.S. companies that make a public commitment to adhere to its Principles.
To add some perspective, the U.S. is one of only 16 adequacy decisions in place issued by the European Commission. Eleven of them (Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay) were recently reviewed by the Commission and kept their adequacy status.
The finite number of countries and territories that meet the threshold emphasizes the difficulty in obtaining one. Absent an adequacy decision, companies in regions outside these select few must find other mechanisms to transfer data. Examples of such mechanisms include Standard Contractual Clauses or Binding Corporate Rules, both of which can be a complex process requiring a substantial amount of resources.
Small and medium-sized businesses feel this burden the most as the resources needed can be daunting enough to significantly impact operational costs.
Should my business join the DPF Program?
Although the DPF Program is a voluntary standard companies can choose to adhere to, the DPF Program is an accessible program that simplifies what might otherwise be a confusing and expensive process. Coupled with enforcement oversight from the Federal Trade Commission and compliance checks from the U.S. Department of Commerce, companies who become part of the DPF Program are held accountable for keeping the commitments they make.
So, for U.S. companies interested in checking off one of the many required GDPR requirements and potentially avoiding fines, particularly those relating to transferring data and other data subject rights, certifying under the DPF Program can be an accessible and affordable option.
BBB National Programs operates the longest-running data-transfer independent recourse mechanism (IRM) in the United States, building on more than 20 years of experience with cross-border data transfers between Europe and the U.S. Our DPF Services are high-touch, supporting businesses of all sizes at all stages of their compliance journey.
If you are interested in taking the next step, we recently hosted a webinar with the Department of Commerce to discuss the DPF program and to share some behind-the-scenes information about partnering with an IRM like us. As a first step, you can request the January 23 recording or simply reach out and set up a free consultation with our team.
Note: It is important to emphasize that adherence to the EU-U.S. DPF does not mean that a business is fully GDPR compliant, but rather, is fulfilling a requirement under a specific article[s] of GDPR. Companies should consult with legal counsel to the extent they are able about other GDPR requirements.