Data Privacy Framework (DPF) is Here – Now What?

July 27, 2023

Data Privacy Framework Special Episode

The Data Privacy Framework (DPF) program is now in effect, replacing Privacy Shield as the mechanism to allow the safe, seamless transfer of personal data from the EU to the U.S in compliance with EU law. In this special edition episode of Privacy Abbreviated, host Dona Fraser is joined by IAPP’s Cobun Zweifel-Keegan to explain the current landscape of cross-border data transfer privacy, to break down the launch of the DPF program including what it means for U.S. businesses, and make some predictions about what the road ahead looks like.



Related Resources

Data Privacy Framework Timeline

Data Privacy Framework Services

Two Peas in a Privacy Pod: Global CBPR and the DPF


Show Notes

Dona Fraser, host and Senior Vice President of Privacy Initiatives at BBB National Program is joined by former colleague and friend Cobun Zweifel-Keegan who is now Managing Director of IAPP, the International Association of Privacy Professionals, to present a special edition of the Privacy Abbreviated podcast. On July 10th, the European Commission deemed the EU-U.S. Data Privacy Framework (DPF) adequate. This episode addresses what adequacy means and the assurances that DPF brings for U.S. businesses that can once again do business with the EU in compliance with GDPR.

3:12 - Cobun begins by defining the GDPR, the General Data Protection Regulation, a comprehensive data protection law across the European Union that has within it a restriction on transferring personal information from the EU to other countries. The purpose is to ensure the data isn't placed where it's not subject to the same privacy and data protection rules that govern the EU.

Cobun explains that there are several ways that businesses can legally export data from the EU. "The gold standard is an adequacy decision," Cobun explains. The process of coming to an adequacy decision begins with a review of the practices of the receiving country by the European Commission. They are the deciding body that allows any company operating within the receiving jurisdiction to legally receive data if found that practices meet the scope of the law.

Dona stresses to listeners the importance of using the DPF. She expresses her concerns regarding small to medium size companies that may not have in-house counsel to support and guide them through the vitality of compliance. Both hosts walk listeners through the consequences of non-compliance. Cobun points out that these companies "could be subject to fines and other penalties, but the fines usually grab people's attention." Cobun warns that the fines are tremendously significant for any size company, so those not taking the extra steps to ensure compliance are already behind.

15:01 - Upon tackling self-certification, Dona shifts the conversation toward Binding Corporate Rules (BCR). The two agree that BCRs are inappropriate for small to medium-sized companies that aren't engaging with highly sensitive data.

What Cobun does suggest for smaller businesses is signing standard contractual clause agreements with the entities they are conducting business with. These clauses have become stronger due to the surveillance adjustments made by the U.S., along with additional commitments from the intelligence community. By implementing these measures, businesses can ensure compliance while maintaining their operations.

22:00 - As a final discussion point, Dona highlights that there were separate frameworks for EU-U.S. and Swiss-U.S. agreements under Privacy Shield. However, with the UK's exit from the EU, and the establishment of the DPF, there are now distinct frameworks for the EU and U.S. Dona asks Cobun to provide additional clarification regarding this matter.

According to Cobun, there is a UK extension to the EU-U.S. DPF, and companies can self-certify for that extension. Even existing DPF companies must take the affirmative step of applying for the UK-U.S. extension. While it is a separate entity, businesses must already be part of the EU-U.S. DPF to be eligible for the UK extension.

Cobun also mentions that we are still awaiting approval from the UK for what they will refer to as a UK-U.S. data bridge, which is essentially equivalent to adequacy. He adds that once this data bridge is established, it will acknowledge the adequacy and validity of self-certifications to the UK extension while adhering to the same rules as the EU-U.S. DPF.

He further emphasizes, "It's good that this extension is going to be in place, but it will require that extra step for everybody to take to ensure that those commitments are extended."

Signing off, Dona encourages listeners to sign up for the Privacy Initiatives Newsletter and listen to previous episodes of Privacy Abbreviated to learn more about the current privacy landscape. To do so, you can visit BBB National Programs' Accountability Studios website or subscribe to Privacy Abbreviated on Apple Podcast, Google Podcast, Spotify, or where you access your favorite podcast.

Latest News

Press Release

BBB National Programs’ Statement on Adoption of Adequacy for the EU-U.S. Data Privacy Framework

McLean, VA – July 11, 2023 – Dona Fraser, BBB National Programs’ Senior Vice President, Privacy Initiatives, issued a statement on behalf of BBB National Programs today on the European Commission’s official adoption of its adequacy decision for the EU-U.S. Data Privacy Framework (EU-US DPF).

Read the Press Release
Press Release

BBB National Programs Welcomes Joe Stegbauer, SVP and General Counsel – Corporate and Business Units, P&G to its Board of Directors

McLean, VA, June 1, 2023 – BBB National Programs, an independent non-profit organization that operates a growing suite of national and global programs focused on industry self-regulation and dispute resolution, today announced the election of Joe Stegbauer from The Procter & Gamble Company (P&G) to its...

Read the Press Release
Press Release

Lindt Joins the Children’s Food and Beverage Advertising Initiative Pledge Program

McLean, VA – January 17, 2023 – The Children’s Food and Beverage Advertising Initiative (CFBAI) welcomes Lindt & Sprüngli and its subsidiaries, Ghirardelli Chocolate Company and Russell Stover Chocolates, as the newest participant in the food advertising pledge program.

Read the Press Release
Press Release

BBB National Programs Announces 91 Distinguished Panel Pool Members for 2023 National Advertising Review Board

McLean, VA – January 10, 2023 – BBB National Programs today announced the 91 panel pool members of the 2023 National Advertising Review Board, the appellate body for the U.S. advertising industry’s system of self-regulation, selected for their stature and experience in their fields.

Read the Press Release