- the disclosure of their personal data to another Controller (i.e., an organization that, alone or jointly with others, determines the purposes and means of the processing of personal data);
- the use of their personal data for a purpose that is materially different from the purpose(s) for which the personal data was originally collected (as described in the relevant notice) or subsequently authorized by the DPF Covered Individuals; and
- having personal data used for direct marketing.
This direct marketing opt-out right is “subject to reasonable limits” established by the certified business, such as “time to make the opt out effective” (see Supplemental Principle 12). A certified business also may use the personal data for certain direct marketing purposes when:
“… it is impracticable to provide the individual with an opportunity to opt out before using the information, if the organization promptly gives the individual such opportunity at the same time (and upon request at any time) to decline (at no cost to the individual) to receive any further direct marketing communications and the organization complies with the individual’s wishes.”
Supplemental Principle 9b provides additional information about application of the Choice Principle to HR Data emphasizing that nothing in DPF is meant to supersede restrictions in European law related to employee personal data.
U.S. State Laws: The choices offered under the DPF Choice Principle are like the privacy rights available under the U.S. state privacy laws but, of course, the DPF choices are available to DPF Covered Individuals rather than residents of the specific states that have passed privacy laws. Accordingly, depending on how the certified business currently handles U.S. state privacy rights and GDPR data subject rights, DPF compliance may require some changes or additions to current processes. See Access Principle (below).
For “sensitive information,” the certified business must obtain the DPF Covered Individual’s “affirmative express consent” before disclosing the sensitive information to a third party or before using the sensitive information for a purpose not covered in the original notice or authorized by the affirmative express consent. In Principle 2 (Choice), sensitive information is defined as medical or health conditions, race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and sex life information. Supplemental Principle 1a (which uses the term “sensitive data” instead of sensitive information) lists exceptions to the affirmative express consent requirement. See Section VI below for more information.
U.S. State Laws: the California Consumer Privacy Act (California’s state privacy law known as CCPA) requires opt-out consent to sensitive personal information processing (as does the Utah state privacy law) but the state privacy laws in Colorado, Connecticut, Utah and Virginia require opt-in consent for sensitive personal information processing.
The DPF’s definition of sensitive information in Principle 2 is narrower than the definition under GDPR Article 9[4]. But the DPF Adequacy Decision states that “any data that is considered sensitive under Union data protection law (including data on sexual orientation, genetic data and biometric data) will be treated as sensitive under the EU-U.S. DPF by certified organisations” (Clause 18).
U.S. State Laws: the U.S. state privacy laws in Connecticut, Utah and Virginia include precise geolocation in the sensitive personal information category. CCPA and the U.S. state privacy laws in Connecticut and Virginia include personal data collected from a known child. CCPA § 1798.140(ae) also is arguably broader than GDPR Art. 9 by including precise geolocation and contents of a consumer’s mail, email and text messages (unless the business is the intended recipient of the communication) but the CCPA definition does not include “political opinions.”
(3) Accountability for Onward Transfers: DPF requires a certified business to comply with certain procedures and impose certain types of contractual terms when transferring personal data received from the EU (and UK and/or Switzerland).
Unlike GDPR, a Controller-to-Controller transfer requires a contract under Supplemental Principle 10c. Existing data processing agreements that rely on Standard Contractual Clauses (SCCs) are not sufficient under DPF because they do not address the DPF Principles. Accordingly, a certified business should review and update data processing agreements that apply to personal data transfer to the U.S. under DPF.
(4) Security: Similar to GDPR Art 32, DPF requires taking reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction while taking into due account the risks involved in the processing and the nature of the personal data.
U.S. State Laws: Like the U.S. state data security and state privacy laws, a DPF certified business that collects personal data must implement reasonable security procedures and practices appropriate to the nature of the personal data to protect the personal data from unauthorized or illegal access, destruction, use, modification or disclosure.
(5) Data Integrity and Purpose Limitation: DPF generally requires a certified business to use and retain personal data only for the purposes for which it has been collected or subsequently authorized by the DPF Covered Individual. DPF also requires taking reasonable steps to ensure the reliability of personal data with respect to its intended use.
(6) Access: Subject to some exceptions and exemptions, DPF requires a certified business to allow DPF Covered Individuals to access their personal data. DPF also generally requires allowing DPF Covered Individuals to correct, amend, or delete personal data deemed inaccurate or processed in violation of DPF. Supplemental Principle 8 includes details about how to operationalize the Access Principle, such as when a business can deny or limit access and when a certified business may charge a fee for providing access. Supplemental Principle 9 explains that, for HR Data, the certified business is expected to cooperate with EU employers.
(7) Recourse, Enforcement, and Liability: DPF requires a certified business to implement robust recourse mechanisms, cooperate with authorities, and arbitrate claims in accordance with DPF. Additional requirements apply when self-certifying to DPF for HR Data. Supplemental Principle 11 sets out additional details for Dispute Resolution and Enforcement. See Section V below for more details.
U.S. State Laws: Like the U.S. state privacy laws, which provide that publicly available information is not included in the definition of “Personal Data,” the DPF provides that it is not necessary to apply the Notice, Choice, Access, or Accountability for Onward Transfers Principles to public record information, if all conditions established by relevant jurisdictions are met. The Notice, Choice, Access, or Accountability for Onward Transfers Principles must be applied, however, when the public record information is combined with non-public record information. It is also not required to apply the Notice, Choice, or Accountability for Onward Transfers Principles to publicly available information unless the transferor indicates that the publicly available information is subject to restrictions that require application of the Principles for the intended uses of the DPF certified business.
- Provide prior notice about personal data processing under the DPF Notice Principle, which is similar to GDPR Art. 13-14.
- Allow EU citizens the right to choose:
- whether the certified business can use their personal data for a materially different purpose than was originally disclosed under the DPF Choice Principle – like GDPR Art 18 (which is broader)).
- whether the certified business can disclose their personal data to a third party (other than an Agent(i.e., a third party acting on behalf of a DPF certified business that is a Controller (aka processor)) of the certified business (DPF Choice Principle), which is similar to the requirements in GDPR Art 7, 18.
DPF certification reduces the administrative compliance obligations on a certified business transferring personal data to the U.S. from the EU and, when applicable, Switzerland and the UK. Once certified, a business does not need SCCs with data exporters to the U.S. for personal data transfers from EU, Switzerland and/or UK. In other words, the certified business does not need to execute SCCs with each customer, vendor or business partner involved in these cross-border transfers and can have somewhat more flexibility in contacting because by avoiding the need to use the terms of the SCCs verbatim. (Many businesses may, however, wish to retain or enter into SCCs for ongoing personal data transfers just in case DPF suffers the same fate as its predecessors. And, transfers of personal data to any other jurisdiction not subject to an adequacy decision still require SCCs or another lawful mechanism under GDPR.)
DPF certification also means that, for EEA to U.S. personal data transfers, a certified business can dispense with TIAs, used for analyzing the impact on privacy when personal data is transferred from the EEA to a jurisdiction outside of the EEA that is not deemed ‘adequate’ by the European Commission. Many certified businesses will realize significant costs savings from reducing the use of SCCs and TIAs for DPF-covered transfers.
For businesses without an EU location, the DPF minimizes some of the difficulties arising from GDPR’s extra-territorial scope. That is, for a certified business subject to GDPR because of GDPR Art 3(2), the DPF allows transfers of personal data collected in the EU directly to the U.S. without the need for a data exporter under the SCCs. The DoC notes that the DPF’s compliance obligations are “clearly laid out” (as compared to EU, UK and Swiss data protections laws), which clarity benefits small and medium sized businesses.
The DPF already was challenged by the European Center for Digital Rights, a non-profit organization founded by Max Schrems (see Part 1, FAQ 2) and known colloquially as NOYB. In a press release issued on July 10, 2023 (the same day on which the EU Commission announced the DPF adequacy decision), NYOB announced its readiness to challenge the DPF for inadequately addressing the EU’s concerns about government surveillance and redress for individuals.
On September 7, 2023, Philippe Latombe, a member of the French National Assembly, announced that he is challenging DPF in his “personal capacity”. In his press release, Latombe stated that the DPF text was not subject to informed debate by the European Parliament and violates the Charter of Fundamental Rights of the Union by providing “insufficient guarantees of respect for private and family life”. Latombe requests the immediate suspension of DPF and replacing DPF with a more “balanced” framework.
In the meantime, however, EU organizations and certified businesses can take advantage of the DPF to receive personal data in the U.S.
II. ELIGIBILITY FOR DPF CERTIFICATION
Broadly, the DPF is available for U.S. legal entities that are subject to the investigatory and enforcement powers of the FTC or the U.S. Department of Transportation (DoT).
The Federal Trade Commission Act (FTC Act) grants the FTC broad authority over acts or practices affecting interstate commerce by any person, partnership or corporation. Generally, this means businesses operating for profit in the U.S.
- The FTC does not have authority over:
- “most” depository institutions (banks, federal credit unions, and savings & loan institutions),
- telecommunications and interstate transportation common carrier activities (see also FAQ II.4 below).
- air carriers
- labor associations
- “most” packer and stockyard activities.
- The FTC Act (15 U.S. Code § 44) defines “corporation” as any company, trust, so-called Massachusetts trust, or association, incorporated or unincorporated, which is organized to carry on business for its own profit or that of its members.” Accordingly, the FTC does not have authority over not-for-profit (or tax-exempt) charitable corporations. But, the FTC will exercise its authority if tax-exempt charitable organization is misusing its funds or if the organization’s status as a charitable organization is a sham. Also, most trade and professional associations that are tax-exempt under Section 501(c)(6) of the Internal Revenue Code are subject to the FTC’s jurisdiction.
U.S. businesses that collect, use and share health-related personal data – or HIPAA-adjacent health information [5] – that is outside the scope of HIPAA are subject to FTC oversight.
The application of DPF to businesses engaged in medical or pharmaceutical research studies is discussed in Supplemental Principle 14.
Several businesses that process health-related information already received DPF certification, including, for example: 23andMe, Inc., Acadia Pharmaceuticals, Cerner Corporation, Flo Health, Inc., New England Research Institutes, Inc. and Precision Digital Health.
Entities regulated by the Federal Communications Commission (FCC) are eligible for DPF certification to the extent that they also are subject to FTC jurisdiction.
FCC-regulated entities, including telecommunications carriers, are outside of FTC jurisdiction if they are engaged in “common carrier” activities. Common carrier activities include entities engaged as a common carrier for hire, by wire, radio, or interstate or foreign radio transmission, including landline and wireless telephone services and commercial mobile services.
If FCC-regulated entities engage in non-common carrier activities, they are subject to FTC authority (see Federal Trade Commission v. AT&T Mobility LLC.) Accordingly, FCC regulated entities engaged in non-common carrier activities are eligible for DPF certification. This includes landline and wireless telephone services, as well as commercial mobile services.
Relatedly, broadband internet access services, or BIAS, are no longer common carriers. In 2018, the FCC re-classified BIAS as a type of “information service” rather than a “telecommunications service.” BIAS also includes mobile broadband, which is high-speed internet access delivered to mobile devices.
III. PERSONAL DATA TRANSFERS COVERED BY DPF
Presumably, personal data collected from applicants and independent contractors is covered as non-HR Data.
Yes. DPF covers transfers from the 27 EU member states and Norway, Iceland and Liechtenstein.
See FAQ I.5 and FAQ I.6 for more information.
IV. DPF CERTIFICATION FEES AND COSTS
- $0 to $5 million, certifying to a single framework is $250 annually, and certifying to both frameworks* is $375 annually.
- Over $5 million to $25 million, certifying to a single framework is $650 annually, and certifying to both frameworks is $975 annually.
- Over $25 million to $500 million, certifying to a single framework is $1,000 annually, and certifying to both frameworks is $1,500 annually.
- Over $500 million to $5 billion, certifying to a single framework is $2,500 annually, and certifying to both frameworks is $3,750 annually.
- Over $5 billion certifying to a single framework is $3,250 annually, and certifying to both frameworks is $4,875 annually.* The UK Extension does not require additional fees.
2. Annual Fees for the Arbitral Fund. The arbitral fund covers the fees associated with the DPF Panel (see FAQ V.1 below)
3. Fees for an Independent Recourse Mechanism (IRM) – IRM fees apply for both HR Data and non-HR Data. The IRM fees for non-HR Data vary by IRM provider. (See FAQs V. 2 and V.3 below.)For HR Data, the business must commit to cooperate with the appropriate European data protection authority/ies for the relevant part(s) of the DPF program, i.e., the EU data protection authorities (EU DPAs) under the EU-U.S. DPF; the UK Information Commissioner’s Office (ICO) and, as applicable the Gibraltar Regulatory Authority (GRA) under the UK Extension to the EU-U.S. DPF; or the Swiss FDPIC under the Swiss DPF (collectively, the DPA Panel). That is, the DPA Panel is the only permitted IRM provider for HR Data. The fee for the DPA Panel is $50 per year which covers EU DPF and UK Extension and the Swiss DPF.
V. DISPUTE RESOLUTION
Under the DPF Notice Principle, a certified business must publish contact information for complaint submissions and an IRM. The DPA Panel is the only IRM allowed for HR Data, but a U.S. business may choose a different IRM for non-HR Data.
Contacting an IRM is either the first or second step in the process for complaint resolution.
If the DPF Covered Individual reaches out to the certified business first, then the certified business must respond to the complaint no later than 45 days after receiving the complaint.
The aggrieved DPF Covered Individual can choose to utilize the IRM as a first step, although an IRM is expected to encourage contacting the certified business first. The IRM can award monetary damages, injunctive relief and impose sanctions, which “should include publicity for findings of non-compliance and the requirement to delete data in certain circumstances” (Supplemental Principle 11.e).
The DPF Covered Individual also can reach out to an EU DPA when HR Data is involved or if the certified business voluntarily agrees to submit to the EU DPA’s oversight for non-HR data. (If a DPF Covered Individual otherwise reaches out to an EU DPA in any other case, then the EU DPA is expected to refer the DPF Covered Individual to the DoC or FTC.)
If the certified business does not comply with the EU DPA’s “advice,” then the EU DPA can refer the complaint to the DoC. The DoC can remove the certified business from the DPF Active list or refer the case to the FTC or DoT, as applicable (see FAQ II.1 above).
If the complaint that a certified business has violated its DPF obligations remains unresolved after all of the above options are exhausted, then the next step is an arbitration option known as the EU-U.S. Data Privacy Framework Panel (DPF Panel).
An IRM is intended to ensure compliance with the DPF by allowing a DPF Covered Individual to submit a complaint to an independent third party that can investigate and resolve the DPF Covered Individual’s complaints at no cost to that individual.
The DPF requires that IRMs are impartial and transparent. An IRM must:
- Provide DPF Covered Individuals with information about the DPF and how to file a complaint, timing for processing complaints, a description of potential remedies and a notice about the IRM’s privacy practices;
- Investigate and expeditiously resolve each complaint received;
- Publish an annual report that includes aggregate statistics regarding the dispute resolution services.
IRMs can also award damages for those affected by noncompliance.
If the IRM does not resolve the DPF Covered Individual’s complaint, that individual also may choose binding arbitration by the DPF Panel (see FAQ V.6 below).
Current options for non-HR data personal data are:
- Better Business Bureau – Form
- JAMS – here
- TRUSTe – here
- International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) – program information
- PrivacyTrust – Apply online
- VeraSafe – Enroll online
- Insights Association – Form
- The ANA – Webpage
By Executive Order (EO) issued on October 7, 2022, President Biden authorized the Director of National Intelligence to create a multi-layer mechanism for non-U.S. individuals to obtain review and redress of claims that their personal data collected through U.S. signals intelligence was collected or handled by the U.S. in violation of applicable U.S. law.
Under the first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) will conduct an initial investigation of qualifying complaints received to determine whether the EO’s enhanced safeguards or other applicable U.S. laws were violated and, if so, to determine the appropriate remediation.
As a second layer of review, the Data Protection Review Court (DPRC) created by the U.S. Attorney General provides an independent and binding review of the CLPO’s decisions upon an application from the individual or an element of the Intelligence Community.
VI. DPF POLICIES AND PROCEDURES
The DPF requires a DPF-compliant privacy policy for HR Data and for non-HR Data.
The DPF website provides sample provisions for explaining certification to the two Frameworks and UK Extension; the authority of the FTC and/or DoT under DPF; and the internal complaint process.
For HR Data, the DPF does not require publicly posting the privacy policy but, for non-HR Data, the certified business must post the privacy policy on its website or otherwise provide information about where the privacy policy is available for the general public to access. As noted in FAQ V.1, the certified business must cooperate with the DPA Panel as the IRM.
The DPF also requires employers to accommodate the privacy preferences of employees by restricting access to HR Data, anonymizing certain HR Data or assigning codes or pseudonyms.
Supplemental Principle 9 explains how the Notice and Choice Principles apply specifically to HR Data. Generally, a certified business must abide by the Notice and Choice Principles when disclosing HR Data to third parties or using it for a different purpose than originally contemplated. However, the Notice and Choice Principles do not need to be provided if it is necessary to avoid prejudicing the ability of a certified business to make promotions, appointments, or other similar employment decisions. This is a broad exception to Notice and Choice for HR Data.
VII. Data Processing Agreements
Your Question Our Answer 1. Do I need to update a data processing agreement designed for GDPR, UK GDPR and/or FADP (together, European Privacy Laws)? In DPF, a processor is also referred to as an “agent.” European Privacy Laws – such as GDPR Art 28 – generally require an agreement between a controller and processor. No additional authorization is required when a certified business is merely processing personal data because the DPF deems the certified business to provide adequate protection. 2. Do I need a controller-to-controller data processing agreement? Yes, when a certified business shares personal data covered by DPF with another controller, the certified business must enter into a data processing contract to ensure that the personal data receives DPF-level protections. European Privacy Laws do not require controller-to-controller data processing agreements except when the SCCs apply to the personal data transfers. 3. Does a certified business have an affirmative obligation to verify a vendor’s DPF certification? Is certified business liable for using a vendor that misrepresented its DPF certification status? No. When a DPF-certified business transfers personal data to another U.S. business, the DPF does not require that the recipient U.S. business is DPF-certified. The transfer must, however, otherwise comply with DPF. Subscribe By Email
Litigators Show/Hide
- Keith Bradley
- Kristin Bryan
- John A. Burlingame
- Alexis Chandler
- Amy Doolittle
- Adam Fox
- Colin Jennings
- Christina Lamoureux
- Rafael Langer-Osuna
- Victoria Leigh
- Thomas Lloyd
- Hannah Makinde
- Marisol Mork
- Meghan Quinn
- Jesse Taylor
- Elizabeth Trebbien
