The United States Department of Commerce has just unveiled its Data Privacy Framework Program (DPF) website, which provides more than just information about ensuring data privacy. The site also allows US companies to self-certify in the data privacy framework the United States maintains with the European Union, United Kingdom, and Switzerland.
International data transfers have become more complicated in recent years with the emergence of laws that require companies to store the data of their consumers or users in the same country where the data was generated. This has greatly affected global companies like Meta and Google, which have been collecting data and saving them in servers across different parts of the world. Also, even smaller businesses are impacted by tighter controls over international data transfers.
Data flows between countries in North America and Europe are associated with an estimated $1 trillion worth of trade and investments. That’s why there is meticulous attention over data regulation, and the United States government is trying to help businesses navigate around the legal and technical complexities through the DPF.
Clarifying data privacy
Before going into the DPF details, here’s a brief overview of data privacy. Privacy, as it pertains to data, means providing full control to the data owner over how their data is accessed, observed, and used. It does not mean an absolute prohibition against data collection and use. If there is consent for an entity to access, observe, or use someone’s data, it is safe to say that there is no privacy violation.
However, it is apparent that data privacy violation has become rampant over the years, mainly facilitated by deceptive “terms and conditions” and the tendency of most customers or app users to be careless about their data. That’s why regulators have stepped in to impose more stringent rules and bigger penalties against violators, especially when it comes to data stored abroad. Regulators are trying to rein in unscrupulous businesses and more importantly, cybercriminals who are out to take advantage of lax or almost nonexistent privacy policies.
Certainly, privacy laws are aimed at helping customers or the general public in maintaining their data privacy. However, along the way, these regulatory impositions are creating confusion, inconveniences, and unnecessary legal woes. The DPF, together with the DPF website, addresses these issues for the benefit of customers and businesses interested in collecting and using customer data.
Making good use of the DPF
With European countries casting strict laws over the collection, storage, and use of their citizens’ data, the United States government formulated a mechanism that makes it possible for US organizations to legally transfer data from the United Kingdom, Switzerland, and the European Union to the United States. The DPF provides a legitimate and viable way to take data to the United States without violating EU, UK, and Swiss laws on data privacy and security.
The DPF website helps enterprises of all sizes to avoid legal entanglements involving data collection and usage. To be clear, it is not a regulation evasion system but a framework to enable qualified organizations to continue accessing and using data from abroad without adverse legal implications. This is important given the role of data in the interoperation of economies at present. Removing data access and use can seriously impair global economic activities.
The newly launched DPF website provides resources about the Data Privacy Framework, including a list of participants, updates, a program overview for specific audiences, and a self-certification system. The self-certification section of the website allows interested parties (US organizations) to evaluate their qualifications to be part of the framework. If they are certified, they become a participant and their names are included in the list.
Self-certification entails an examination if an organization complies with the applicable laws on data security and privacy. The organization must comply with relevant US laws and the corresponding foreign laws (EU, UK, or Swiss) for the data transfer they want to undertake.
Companies that intend to transfer data from the EU, Switzerland, and the UK are required to sign up and become part of the DPF program by October 10, 2023. Several well-known companies have already signed up on the DPF website. These include 23andMe, Adobe, Akamai Technologies, Bitcoin, ComScore, Coinbase, Google, GoPro, McDonald’s Corporation, Microsoft, Meta, Quickbase, Stripe, Starbucks, Procter & Gamble, Volvo, and ZenDesk.
The importance of strong data privacy and security solutions
The Data Privacy Framework program helps enforce relevant data security and privacy laws in the United States and most of Europe. However, it does not mean that being a participant is permanent and irrevocable. Participating organizations must be able to prove that they can continuously follow the legal requirements to ensure private and secure data transfers. The failure to sustain solid data security policies and solutions does not only lead to the voiding of DPF mechanism access. It can also result in legal charges for violating relevant laws on data privacy and security in the United States and the country of origin of the data transferred.
As such, it is vital to make use of reputable and reliable data security solutions. Organizations need to invest in high-quality data privacy and defense systems. It also helps to religiously implement data handling best practices, including the following:
- Observing strong data protection through strict user access controls and the principle of least privilege
- Data masking or anonymization through encryption, generalization, perturbation, and other techniques
- Data loss prevention systems applied to data in motion and at rest
- Effective data change management, particularly when it comes to tracking, logging, and reporting data structure changes
- Privileged user monitoring
- Auditing sensitive data access
- Securing the archives of audit trails
- Imposing strong user rights management to detect abusive, excessive, or inappropriate data access and use
- Mapping of web application end users
- Ensuring the strict privacy and security of VIP or sensitive data
The Data Privacy Framework program may appear to be more of a legal concern, but it does contribute to real-world data privacy. Governments are often assailed for being slow or inadequate in addressing cybersecurity concerns. However, the finalization of the Data Privacy Framework itself shows that regulators are trying to keep up.
It took years of negotiations for the DPF program to be established. There was a similar attempt a few years back, which was called the EU-US Privacy Shield Framework, but the EU Commission invalidated it. The Data Privacy Framework was finally approved on July 10, 2023, and it provides a useful system against abusive data collection and use, especially by Big Tech players.
Article contribution by Hazel Raoult.