The General Data Protection Regulation (GDPR) of the European Union has been a source of headaches for many US businesses since its inception. The GDPR and its sister laws in the UK and Switzerland regulate how companies can collect, use, and store specific data about EU, UK, or Swiss residents within those countries and outside of their respective borders. Many US companies, especially smaller and mid-size companies, have faced confusion and uncertainty over how to comply with the GDPR’s strict requirements regarding data held outside of the EU.
What is the Data Privacy Framework (DPF)?
Last summer, the US Department of Commerce, in coordination with the EU, formed the GDPR Data Privacy Framework (DPF) program. The DPF was designed to help eligible US companies self-certify their compliance with the GDPR’s stringent requirements for holding/transferring personal data outside the EU. Although the DPF does not serve as a GDPR compliance mechanism, according to its FAQ, companies that have self-certified under the program will be acknowledged as ensuring sufficient privacy safeguards, as mandated for the transfer of personal data outside of the EU, the UK, and Switzerland under their respective laws, once the necessary legislative bodies ratify the DPF.
The DPF contains guides on what measures eligible companies must take to provide the adequate privacy protections required to self-certify under the GDPR, UK GDPR, and/or FADP, with an intended focus on smaller and medium-sized companies. Companies seeking to self-certify under these frameworks must pay fees based on the company’s annual revenue and the number of self-certifications requested. Additionally, companies previously registered under the now-defunct EU-US Privacy Shield program may be able to re-certify under the DPF. These companies will need to take certain measures to update their privacy protection mechanisms to comply with the new DPF frameworks.
Beyond the GDPR – Other Requirements and Regulations
Although the Data Protection Framework (DPF) is excellent news for eligible companies subject to GDPR or other data protection laws in the UK and Switzerland, it does not provide self-certification mechanisms for any other domestic or foreign data protection laws. Since the GDPR’s implementation, many US states and countries outside of Europe have introduced comprehensive data protection laws. While some of these laws are based on or similar to the GDPR, there are significant differences between them regarding the types of data covered and their compliance requirements. For instance, the California Consumer Privacy Act (CCPA) and Privacy Rights Acts (CPRA) have additional requirements and extend protection to employees and contractors of the covered companies.
Data Privacy Laws and Information Security Requirements
Many data privacy laws include mandated reporting for data breaches, and some go as far as to require companies to take specific actions to protect consumer data. This reflects a growing recognition that data protection and information security are two sides of the same coin. Business leaders should start implementing data protection measures into their information security protocols to help avoid the risk of a breach. Companies may be able to utilize the DPF guidance to help create privacy protections to safeguard customer, consumer, and employee data from unauthorized breaches while also starting to prepare for compliance with the growing number of stringent data protection laws like the CCPA and GDPR. By acting now, companies will not be left scrambling to comply as they become subject to these laws (or if their state or country adopts a similar data protection law).
For more information about the DPF program, eligibility, and self-certification, please visit the US Department of Commerce’s DPF website HERE. If you have any questions about how the DPF or other data privacy laws and compliance requirements could impact your business, contact us today.
Elizabeth Payne-Maddalena is a Senior Associate at Berenzweig Leonard. She can be reached at epayne@berenzweiglaw.com.