Understanding the EU-U.S. Data Privacy Framework
The EU’s General Data Protection Regulation (GDPR) is one of the most stringent data privacy laws in the world. It regulates not only personal data in the EU, but also EU citizen data that’s being transferred to the U.S. The EU-U.S. Data Privacy Framework (DPF) is a set of standards that ensures the transfer of personal data from the EU to the U.S. meets GDPR requirements. In this article, we’ll introduce this new data privacy framework and discuss how it supports the transatlantic transfer of personal data. We’ll also explore the benefits for U.S. businesses that participate in the program and compare it with the NIST Privacy Framework, a set of cybersecurity best practices that can be implemented alongside the EU-U.S. DPF.
What Is the EU-U.S. Data Privacy Framework?
The EU-U.S. Data Privacy Framework went into effect on July 10, 2023, replacing Privacy Shield, a predecessor program that was invalidated by the European Court of Justice after it was determined to provide inadequate protections for EU personal data. This new agreement between the United States and the European Union provides a new mechanism for businesses to transfer personal data from the EU to the U.S. in a way that upholds EU data protection standards. It restricts U.S. government access to EU data, establishes more robust oversight mechanisms and provides EU citizens who believe their data was used improperly with options for redress.
While U.S. companies not operating in the EU are not required to adhere to GDPR, many choose to follow its guidelines on a voluntary basis. Businesses can self-certify with the U.S. Department of Commerce that they are in compliance with DPF principles. Although the provisions of the EU-U.S. Data Privacy Framework are extensive, we’ve provided an overview of the seven core principles below.
Notice: The DPF mandates transparency on data collection practices, including the types of personal data that are collected and the purposes for which data is collected and used. It also requires that organizations inform individuals about their rights to access their own personal data, how they can contact an organization for questions or complaints regarding data usage, and the disclosure of any third-party data-sharing agreements.
Choice: The DPF provides individuals with the ability to prevent their personal data from being disclosed to a third party or used for a purpose other than the one for which the data was originally collected. The choice principle also stipulates that express consent is required if certain types of sensitive data are to be used outside of the expressed purpose or to be disclosed to third parties. Examples of sensitive data include medical or health-related information, religious affiliation, and racial or ethnic origin.
Accountability for onward transfer: Organizations that transfer personal data to third parties must accept responsibility for these onward transfers, ensuring continued compliance with relevant guidelines contained within the data privacy framework.
Security: Organizations that collect, store, use or share personal information must take appropriate measures to safeguard that data from loss, misuse and unauthorized access, disclosure, alteration, and destruction.
Data integrity and purpose limitation: Organizations must ensure that the personal data they collect is reliable for the use case, accurate, complete and up to date. Personal information must be limited to what is relevant for processing and cannot be retained for longer than needed to fulfill the original purpose for processing.
Access: Individuals have the right to correct, amend or delete information that is inaccurate or that has been used in ways that violate DPF principles.
Recourse, enforcement and liability: The DPF ensures the availability of effective legal protection, recourse for individuals whose personal information has been improperly used and consequences for organizations that fail to adhere to DPF principles.
DPF Versus the NIST Privacy Framework
Although there is an overlap between the EU-U.S. DPF and the NIST Privacy Framework, their intended purposes are distinctly different. The NIST Privacy Framework, developed by the National Institute of Standards and Technology at the U.S. Department of Commerce, is a voluntary program designed to help businesses align their practices with well-established privacy principles, regulations and laws. It serves as a blueprint for organizations committed to developing their product and service offerings in ways that protect individual privacy. The focus of the DPF is narrower, placing obligations on companies transferring EU citizen data.
Benefits of Following the EU-U.S. DPF
The value of the EU-U.S. DPF extends beyond simply providing companies with a framework for verifying compliance with EU data protection laws. Here are four reasons why an organization might voluntarily choose to follow the framework.
Enhanced customer trust
The EU-U.S. DPF principles bring organizations outside the EU into compliance with relevant GDPR data privacy regulations.. When a business joins the DPF, they publicly commit to handling personal data in ways that comply with GDPR, one of the most stringent data privacy laws in the world.
Access to a comprehensive set of best practices and detailed technical guidance
Organizations seeking to build a more robust internal data privacy compliance program can use the EU-U.S. data privacy framework as a foundation. Although the goal of the DPF program is to enforce compliance with GDPR, the principles it contains are modeled after widely accepted data privacy best practices.
Meaningful compliance with data privacy standards
When an organization self-certifies compliance with the EU-U.S. DPF, it commits to aligning its data privacy practices with the principles contained in the program. Compliance with the data privacy framework is enforceable under U.S. law, making participation in the program meaningful.
Market access
Participation in this data privacy framework unlocks data transfer opportunities in markets within the EU. When businesses certify compliance with EU-U.S. DPF, they reduce the data privacy risk and administrative burden for their EU-based customers, affiliates and business partners.
How Snowflake Strengthens Data Privacy
For organizations seeking to align with the EU-U.S. DPF or NIST Privacy Framework standards, Snowflake enables data privacy and compliance for regulated workloads. Built from the ground up to deliver end-to-end data security for all data platform users, Snowflake follows best-in-class, standards-based practices for the controls and processes that secure it. As part of the overall security framework, Snowflake leverages NIST 800-53 and the CIS Critical Security Controls, a set of controls created by a broad consortium of international security experts to identify the security functions that are effective against real-world threats. Snowflake uses a multilayered security architecture to protect customer data and access to that data.