5 Missteps to Avoid When Applying or Recertifying to the DPF Program
Nov 14, 2024 by Victoria Akosile, Deputy Director, Privacy Operations, BBB National Programs and Destiny Shearin, Privacy Coordinator, Data Privacy Framework, BBB National Programs
The Data Privacy Framework (DPF) Program provides an easy and accessible way for U.S.-based companies to transfer data to the U.S. from Europe. Companies that want to take advantage of this program, administered by the U.S. Department of Commerce, must first apply. And as veterans of the program will tell you, the program is generally easy, though a handful of areas can be tricky to navigate.
The DPF Program is not new. It has been in place since March 2022, having been renamed in accordance with adequacy decisions as they were adopted, such as Safe Harbor and Privacy Shield. In the wake of the most recent three adequacy decisions – the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF – we have the DPF Program.
Each year, participants in the DPF Program need to recertify with the Department of Commerce, annually assessing and accounting for how they handle and process personal data that originates in the EU, UK, and/or Switzerland. And just as with their initial self-certification application, companies can find recertification to be a tricky process as well.
To assist companies looking to certify for the first time or recertify, the Global Privacy Division at nonprofit BBB National Programs, the longest-running Independent Recourse Mechanism (IRM) provider in the United States, has outlined five key recommendations to keep in mind to avoid common missteps when navigating the process.
1) Start by identifying your IRM.
Before starting the application process, companies should identify and join their IRM, a requirement for participation in the DPF Program. An IRM can play a critical role in helping your company prepare for and complete a seamless application process.
Companies that transfer human resources (HR)-related data are required to use the European Data Protection Agencies (DPAs) as their IRM, as outlined in the Supplemental Principles for HR data. HR data only applies to companies that have employees in one of the covered jurisdictions and actively transfer data about those employees to the U.S. A company can have Europe-based workers but if data about them is localized or not transferred to the U.S., they may not be subject to the HR requirements.
In its IRM role, BBB National Programs provides hands-on guidance to provide a step-by-step guide on the requirements to include in your privacy policy and reaches out on your behalf to the Department Commerce to help resolve any issues. (Get in touch to get started.)
2) Be aware of the various program fees, which vary by Framework and type of data processed.
Before you apply for the DPF Program with the Department of Commerce, visit the official DPF Program website to learn more about the application fee, which is based on total global gross revenue. You will need to pay this fee with your annual recertification.
In addition to the application fee, there is a mandatory contribution to The International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA). This fee goes towards covering arbitration-related costs, as EU, UK, and Swiss individuals have the right to invoke binding arbitration in the event of a complaint or other dispute. Unlike the application fee and the subsequent recertification, this is a one-time contribution.
Finally, depending on your participation in the DPF Program, there can be additional fees. For example, if a company elects to use the DPAs as their IRM they must pay an annual fee of $50 to the United States Council for International Business to help cover operating and maintenance cost. This is an annual fee.
3) Ensure you are meeting the DPF Program Notice requirements to link to the official Commerce site and your IRM’s site.
As part of the DPF Program participation requirements, companies must include a link to the Department of Commerce DPF Program webpage in their privacy policy, allowing regulators and other stakeholders to easily verify a company’s status in the program’s registry of active participants.
In addition, participants must also provide a link to their selected IRM in their privacy policy so that eligible individuals with a complaint or other dispute can easily access a company’s IRM free of charge. Make sure to outline your participation by Framework and coverage. Common mistakes made include companies either not hyperlinking to the appropriate DPF Program webpage or the link being broken.
The DPF Program differs from its previous iterations as it has three coverage options companies can choose from. You can choose to be certified under the EU-U.S. DPF, the UK Extension, and/or the Swiss-U.S. DPF. Including the appropriate Framework coverage in a privacy policy is vital as the information directly signals to individuals whether they have rights for recourse. Individuals in the EU, UK, and Switzerland must be explicitly and separately referenced and cannot be generalized or used under a blanket “European” term. Given that three separate adequacy agreements allow for transfers in each jurisdiction, only the appropriate frameworks being used should be referenced.
4) Understand the requirements for HR data coverage.
As noted, HR data is covered under the frameworks, but companies need to appropriately denote when their employees’ HR data is covered. A company can have Europe-based workers but if data about them is localized or not transferred to the U.S., they may not be subject to the HR requirements. HR data requirements are outlined in the Supplemental Principles for HR Data for the respective frameworks. In addition to the previously mentioned associated fees, specific language outlining the rights of EU, UK, and Swiss individuals pertaining to their HR data must also be present in a privacy policy before it can be approved.
5) Properly address the DPF Principles.
Seven core principles underpin the respective framework agreements, which are: notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access and recourse enforcement, and liability. Each principle must be adequately addressed in a privacy policy in accordance with the guidance issued by the Department of Commerce. When applying, keep in mind you will be asked to summarize a few points about how the principles apply and provide adequate context to justify the purpose for data collection and processing, and the circumstances in which data will be shared with third parties.
An important final reminder is that companies must receive approval from the Department of Commerce for their acceptance into the DPF Program before posting a privacy policy that references the DPF. Posting a policy indicating participation in the DPF before acceptance into the program is a misrepresentation and is subject to enforcement action by the Federal Trade Commission (FTC).
The application process can seem daunting at first, but with these five points in mind you can avoid common missteps made during the process.
And if you need help, set up time with the experts from BBB National Programs DPF Services team, or email us at euprivacy@bbbnp.org.