Data Privacy Framework Principles
The EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles, which apply to the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles, which apply to the Swiss-U.S. DPF are both comprised of a set of seven commonly recognized privacy principles and sixteen equally binding supplemental principles that explain and augment those seven privacy principles.
Transitioning to the Data Privacy Framework Program
If your business is not yet a participant, or has left the program and is looking to return, please contact us. To get on the mailing list for updates as information is available, subscribe to the Privacy Initiatives newsletter.
Seven Promises to Protect Individual Privacy
In order to process personal data received from the European Union, the United Kingdom, and Switzerland, participating organizations in the United States must publicly commit to comply with the seven core Principles and sixteen equally binding supplemental principles. The core principles are summarized below.
- Notice. Organizations must publish online privacy notices containing specific information about their participation in the Framework (including any additional entities or subsidiaries of the organization also adhering to the Principles); their practices around collecting and processing personal data and sharing it with third parties; the rights of covered individuals to access and correct data; and the choices they make available to individuals regarding limiting data collection and use. Information about all thirteen notice requirements is included on our Requirements of Participation page.
- Choice. Participating organizations must provide a mechanism for individuals to opt out of having personal information (a) disclosed to a non-agent third party or (b) used for a materially different purpose other than that for which the information was originally provided (or subsequently authorized by the individual). When sensitive information is involved, opt-in consent is required before information may be shared with a third party or used for a new purpose.
- Onward Transfer. The substantive requirements for sharing personal information depend on the type of third party that receives the information.
a. To transfer personal information to a third party acting as a data controller, a participant must first comply with the Notice and Choice Principles. It must also enter into a contract with the third-party controller limiting the purposes for which the data may be processed and ensuring that the recipient will provide the same level of protection as the Principles.
b. To transfer personal data to a third party acting as an agent (such as a service provider), an organization has additional obligations. It must: transfer the data for limited and specified purposes; ascertain that the agent is obligated to provide at least the same level of privacy protection as required by the Principles; take reasonable steps to ensure that the agent effectively processes this data in a manner consistent with Principles; upon notice, take reasonable steps to stop and remediate unauthorized processing; and upon request, provide a summary or copy of privacy provisions of its contract with the agent to the Department of Commerce. The organization will remain liable if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
Table: Choice and accountability requirements by type of third party with which personal data is shared
|Opt-out Choice||Opt-in Choice||Accountability for Onward Transfer|
|Agent||No requirement to provide an opt-out for transfers to third parties acting as agents (but must enter into a contract with the agent consistent with Onward Transfer Principle, including requiring agent to cease processing on request).||For sensitive data, must obtain affirmative express consent prior to sharing (unless an exception applies).||Liable if agent processes data in a manner inconsistent with the Principles, unless company proves it is not responsible for the event giving rise to the damage.|
|Required to provide an opt-out (clear, conspicuous, and readily available) for transfers to non-agent third-parties.||For sensitive data, must obtain affirmative express consent prior to sharing (unless an exception applies).||No similar requirement of liability, but must still enter into a contract consistent with the Onward Transfer Principle.|
- Security. An organization creating, maintaining, using, or disseminating personal data must take reasonable and appropriate measures to protect it from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into “due account” the risks involved in the processing and the nature of the personal data.
- Data Integrity and Purpose Limitation. An organization must take reasonable steps to limit processing to the purposes for which it was collected and to ensure that personal data is reliable for its intended use, accurate, complete, and current. It must only retain personal information for as long as needed for the purpose of collection. An organization must adhere to the Principles for as long as it retains such information.
- Access. An organization must provide a mechanism by which data subjects may request access to personal information the organization holds about them and enable them to correct, amend, or delete information that is either (a) inaccurate or (b) processed in violation of the Principles.
- Recourse, Enforcement, and Liability. This Principle addresses three topics: recourse for individuals affected by non-compliance; consequences to organizations for non-compliance, and compliance verification.
a. Individual Recourse: Organizations may subscribe to “readily available and affordable independent recourse mechanisms” such as BBB National Programs to resolve complaints from eligible individuals that the parties were unable to resolve on their own. These dispute resolution services must be provided at no cost to the individual data subject. Organizations and their independent dispute resolution body must respond promptly to inquiries and requests by the Department of Commerce, which is obligated to pass along complaints referred by the proper data authorities. Eligible residents have the option of filing complaints directly with their local data authority, which will work with the Department of Commerce and the Federal Trade Commission (FTC) to investigate and resolve complaints. As a last resort, for complaints left unresolved by all other available mechanisms, individuals may invoke binding arbitration.
b. Consequences for Non-Compliance: In addition to enforcement by the FTC (or Department of Transportation) for its own privacy violations, an organization also remains liable for its agents’ (service providers) failure to comply with the Principles unless the organization can show it was not responsible for the event giving rise to the violation.
c. Compliance Verification: Organizations must verify their compliance, either through a documented internal self-assessment process or by engaging a third-party verifier. Organizations must keep records of the implementation of their privacy practices and make them available to enforcement agencies in the course of an investigation.
So long as an organization retains data, it must affirm its compliance to the Department of Commerce on an annual basis. Even if the organization withdraws from the Data Privacy Framework Program, it must continue to treat data collected during the time of its self-certification consistent with the Principles. Alternatively, the organization must either return or delete the information.
- U.S. Department of Commerce – Requirements of Participation
- U.S. Department of Commerce – Data Privacy Framework Program
- European Commission – Data Transfers & the EU-U.S. Data Privacy Framework