EU-US Data Privacy Framework (DPF): How to self-certify

The US government and European Commission have agreed to a new data transfer scheme, the EU-US Data Privacy Framework (DPF).

Under the EU’s strict interpretation of its own rules, many transatlantic transfers of personal data have been outright illegal since July 2020. Things will get easier now (perhaps temporarily) as the EU has adopted a partial adequacy decision in respect of the US.

Joining the DPF means you won’t need to put in place any additional data transfer safeguards or contracts—organizations in the European Economic Area (EEA) can freely and legally “export” personal data to your business.

Here’s how a new starter (i.e., a US business that is not certified under the now-defunct EU-US Privacy Shield) can apply to join the EU-US DPF.

Ensure you are eligible for the DPF

To self-certify under the DPF, you must be subject to the jurisdiction of the Federal Trade Commission (FTC) or the US Department of Transportation (DOT).

This covers most US businesses, as the FTC regulates virtually all commercial activity. But there are exceptions, including:

• Banks
• Federal credit unions
• Savings and loan institutions
• Telecoms companies and “common carriers”
• Labor associations
• Most nonprofits
• Some insurance firms

Understand the DPF principles

The DPF, like its predecessors, Privacy Shield and Safe Harbor, requires participants to commit to complying with a set of principles, namely:

• Notice: Be transparent about your data processing activities.
• Choice: Offer people opt-outs or get consent where appropriate.
• Accountability for Onward Transfers: Be responsible for transferring imported personal data outside of the US.
• Security: Ensure the integrity, confidentiality, and accessibility of personal data.
• Data Integrity and Purpose Limitation: Restrict the processing of personal data to that which is adequate, relevant, and necessary.
• Access: Fulfil people’s rights over their personal data (where required).
• Resource, Enforcement, and Liability: Ensure people’s rights and freedoms are respected.

This is a basic summary of the principles: many obligations under the DPF and supplementary principles apply in specific situations.

Failure to comply with the DPF Principles could lead to a breach of contract with your European business partners, enforcement via the FTC or DOT, or legal action from European data subjects.

Develop a DPF Privacy Policy

To certify under the DPF, you must present a DPF-compliant privacy policy statement to the US International Trade Administration (ITA).

Once you’re sure you want to join the scheme, the first step is to develop a privacy policy that demonstrates your commitment to the DPF principles.

Here are some examples of what your DPF privacy policy statement should include:

• The information required under the DPF’s Self Certification supplementary principle, including (among other things):
  • Details of your business and any relevant subsidiaries.
  • A commitment to comply with the DPF principles.
  • A description of your business’s activities pursuant to the DPF.
• The requirements set out under the DPF’s Notice principle, including (among other things):
  • The categories of personal data you (intend to) collect under the DPF.
  • Your purposes for collecting personal data.
  • The types of, or identities of, any third parties with whom you share personal data
• Details of your Independent Recourse Mechanism (see below).

Establish an Independent Recourse Mechanism

Under the Resource, Enforcement, and Liability principle, you must implement an Independent Recourse Mechanism to allow individuals to exercise their rights under the DPF.

If you plan to import human resources data under the DPF, you must commit to comply with the advice of the relevant EEA data protection authorities in respect of this data.

For other types of personal data, you can also commit to comply with the advice of an EEA data protection authority, or you can sign up for a mechanism provided by another organisation.

The ITA cites some examples of organisations that provide an Independent Recourse Mechanism:

• The Jams Foundation
• BBB National Programs
• TRUSTe
• International Centre for Dispute Resolution-American Arbitration Association
• PrivacyTrust
• VeraSafe
• Insights Association

Pay the Arbitration Fund Fee

DPF participants must pay towards a fund established to deal with the costs arising from arbitration under the scheme. More information about this fee is available from the American Arbitration Association.

Implement a Verification Process

DPF participants must verify their compliance with the DPF principles, either through self-assessment or outside compliance reviews.

Under the Verification supplementary principle, self-assessment requires (among other things):

• Demonstrating that your privacy policy is accurate, comprehensive, readily available, conforms to the DPF principles, and is being complied with.
• Indicating that individuals are informed your complaints processes and Independent Recourse Mechanism
• Putting employee training programmes in place, and having a disciplinary procedure for employees that fail to follow them
• Putting internal procedures in place for regularly reviewing all of the above.

If you opt for outside compliance reviews, these must demonstrate all of the above—and must also provide information about the review process.

Designate a point of contact

You must designate someone in your organization who will handle complaints, access requests, and any other DPF-related issues that might arise.

Double, triple-check, and submit your application

Once you’re ready to make your application to join the DPF, you should review it (thoroughly!) and submit it to the ITA.

If there are any problems with your application, the ITA will contact you. But there are strict deadlines for responding to queries from the ITA, so it’s better to get everything right the first time.