Partner
With respect to consumer and personal data collected by online businesses, sites, and sales platforms, the European Union (“EU”) and the United States have different statutory and regulatory regimes. There are many similarities, but there are also significant differences. However, given that so much business is global and cross-border, enormous flows of personal and consumer data transfer between the various nations of Europe and the United States. Moreover, data storage is also global, and a U.S.-based company may have huge amounts of data stored at European-based data storage facilities. Stored data must be accessed and this created another enormous flow of data between Europe and the U.S.
In the absence of some sort of standardization, these data flows will be impeded as regulators on both sides of the Atlantic Ocean seek to enforce different legal standards. Just as importantly, businesses face uncertainty as to whether they will face administrative or regulatory enforcement actions. Uncertainty is generally a “bad” thing for businesses.
What is the EU – U.S. Data Privacy Framework?
In response to these concerns, the EU – U.S. Data Privacy Framework (“DPF”) was drafted, promulgated, and approved in the summer of 2023. The DPF is a set of rules and guidelines that allow businesses to be certified as compliant with both European and U.S. privacy laws and regulations. The EU’s regulations are called the General Data Protection Regulation (“GDPR”), and the U.S. has a set of State-level laws such as the recently enacted Kentucky Consumer Data Protection Act.
The first such law was enacted by California in 2018 and there are now about 19 States with similar laws. The California statute was based on the GDPR and the other U.S. State laws have been based on the California version. Thus, there is a lot of similarity between the European and American data regulations and rules. For this reason, it is not too difficult for companies to become compliant with the requirements of the two regulatory regimes. Once a company has become certified under the DPF, cross-border and cross-Atlantic data transfers can flow unimpeded without too much risk of regulatory or administrative enforcement actions. Certifications must be annually renewed.
There were previous versions of the DPF called the EU-U.S. Safe Harbor and then the EU-U.S. Privacy Shield. For various reasons, those were deemed invalid and have now been replaced with the DPF.
What was the “problem” that resulted in the new EU – U.S. Data Privacy Framework?
The general rules and regulations for protecting personal and consumer data are similar between the GDPR and U.S. State statutes. Generally speaking, the rules/regulations require businesses collecting and processing data to give notices of what data is being collected/processed, to obtain consents allowing collection/processing, to allow a person access to their data, to allow a person to opt-out of having data processed, and more.
However, access — or potential access — by U.S. intelligence services to European personal data became the issue that led to the new DPF. As discussed here, the new DPF builds safeguards limiting access to data by US intelligence authorities to what is necessary and proportionate to protect national security, enhances oversight of activities by US intelligence services, and establishes a new Data Protection Review Court to investigate and resolve complaints regarding access to data by US national security authorities.
To become certified under the EU–U.S. Data Privacy Framework, a U.S. organization must self-certify to the U.S. Department of Commerce that it complies with the DPF Principles. The DPF Principles cover notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, and recourse/enforcement. The certification process requires the organization to: (1) develop and publicly post a privacy policy that states it adheres to the DPF Principles; (2) designate an independent recourse mechanism — typically a recognized arbitration provider or privacy dispute resolution body — for handling consumer complaints; (3) pay the applicable certification fee; and (4) submit to the Commerce Department’s verification review.
Once certified, the organization’s name appears on the DPF List maintained by the Department of Commerce. EU-based data exporters can transfer personal data to a DPF-certified U.S. organization without needing additional transfer mechanisms such as Standard Contractual Clauses (SCCs). However, maintaining certification requires annual renewal and ongoing compliance — lapses in compliance or failure to renew can result in the organization being removed from the list and potentially facing FTC enforcement action for falsely claiming DPF certification status.
The DPF is the third attempt at a transatlantic data transfer framework following the invalidation of both its predecessors by the Court of Justice of the European Union (CJEU). In Schrems I (Case C-362/14, 2015), the CJEU invalidated the EU–U.S. Safe Harbor after finding that U.S. surveillance law gave U.S. intelligence services unrestricted access to personal data transferred from the EU. In Schrems II (Case C-311/18, 2020), the CJEU invalidated the EU–U.S. Privacy Shield on the same grounds — that U.S. intelligence programs, including Section 702 FISA surveillance, did not provide EU citizens with protections equivalent to those required under the GDPR.
The DPF addresses these concerns through President Biden’s Executive Order 14086 (October 2022), which established binding limitations on U.S. signals intelligence activities with respect to EU personal data and created the Data Protection Review Court — an independent judicial body within the executive branch that can hear and resolve complaints from EU individuals about U.S. intelligence access to their data. The European Commission issued its adequacy decision for the DPF in July 2023. A new Schrems-style challenge to the DPF has been threatened, meaning businesses relying solely on DPF certification should monitor CJEU developments and consider maintaining SCC backup mechanisms as a precaution.
In addition to the EU-U.S. DPF, the Department of Commerce administers two parallel frameworks: the UK Extension to the EU-U.S. DPF, which covers data transfers from the United Kingdom, and the Swiss-U.S. Data Privacy Framework, which covers transfers from Switzerland. Organizations that wish to receive personal data from all three jurisdictions must certify under all three frameworks. The certification and renewal processes are administered together but involve separate compliance requirements tied to the UK’s Data Protection Act 2018 (post-Brexit) and Switzerland’s Federal Act on Data Protection (revised 2023). Legal counsel familiar with all three frameworks is advisable for multinational businesses with data flows from Europe, the UK, and Switzerland.
Even with DPF certification, U.S. businesses receiving EU personal data must implement the full array of GDPR-equivalent data handling practices: data minimization, purpose limitation, retention limits, breach notification procedures, and data subject rights responses. The DPF is an adequacy mechanism — it creates a legal pathway for the transfer — but it does not replace underlying GDPR compliance obligations on the part of the EU data exporter or the substantive data handling standards applicable to the U.S. recipient under the DPF Principles. Businesses should also conduct transfer impact assessments for any particularly sensitive categories of data to ensure that the DPF protection is adequate for the specific processing activity being contemplated.
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?