Seven Promises to Protect Individual Privacy

In order to process personal data received from the European Union, the United Kingdom, and Switzerland, participating organizations in the United States must publicly commit to comply with the seven core Principles and sixteen equally binding supplemental principles. The core principles are summarized below.

1. Notice. Organizations must publish online privacy notices containing specific information about their participation in the Framework (including any additional entities or subsidiaries of the organization also adhering to the Principles); their practices around collecting and processing personal data and sharing it with third parties; the rights of covered individuals to access and correct data; and the choices they make available to individuals regarding limiting data collection and use. Information about all thirteen notice requirements is included on our Requirements of Participation page.

2. Choice. Participating organizations must provide a mechanism for individuals to opt out of having personal information (a) disclosed to a non-agent third party or (b) used for a materially different purpose other than that for which the information was originally provided (or subsequently authorized by the individual). When sensitive information is involved, opt-in consent is required before information may be shared with a third party or used for a new purpose.

3. Onward Transfer. The substantive requirements for sharing personal information depend on the type of third party that receives the information.

a. To transfer personal information to a third party acting as a data controller, a participant must first comply with the Notice and Choice Principles. It must also enter into a contract with the third-party controller limiting the purposes for which the data may be processed and ensuring that the recipient will provide the same level of protection as the Principles.

b. To transfer personal data to a third party acting as an agent (such as a service provider), an organization has additional obligations. It must: transfer the data for limited and specified purposes; ascertain that the agent is obligated to provide at least the same level of privacy protection as required by the Principles; take reasonable steps to ensure that the agent effectively processes this data in a manner consistent with Principles; upon notice, take reasonable steps to stop and remediate unauthorized processing; and upon request, provide a summary or copy of privacy provisions of its contract with the agent to the Department of Commerce. The organization will remain liable if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Table: Choice and accountability requirements by type of third party with which personal data is shared

4. Security. An organization creating, maintaining, using, or disseminating personal data must take reasonable and appropriate measures to protect it from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into “due account” the risks involved in the processing and the nature of the personal data.

5. Data Integrity and Purpose Limitation. An organization must take reasonable steps to limit processing to the purposes for which it was collected and to ensure that personal data is reliable for its intended use, accurate, complete, and current. It must only retain personal information for as long as needed for the purpose of collection. An organization must adhere to the Principles for as long as it retains such information.

6. Access. An organization must provide a mechanism by which data subjects may request access to personal information the organization holds about them and enable them to correct, amend, or delete information that is either (a) inaccurate or (b) processed in violation of the Principles.

7. Recourse, Enforcement, and Liability. This Principle addresses three topics: recourse for individuals affected by non-compliance; consequences to organizations for non-compliance, and compliance verification.

a. Individual Recourse: Organizations may subscribe to “readily available and affordable independent recourse mechanisms” such as BBB National Programs to resolve complaints from eligible individuals that the parties were unable to resolve on their own. These dispute resolution services must be provided at no cost to the individual data subject. Organizations and their independent dispute resolution body must respond promptly to inquiries and requests by the Department of Commerce, which is obligated to pass along complaints referred by the proper data authorities. Eligible residents have the option of filing complaints directly with their local data authority, which will work with the Department of Commerce and the Federal Trade Commission (FTC) to investigate and resolve complaints. As a last resort, for complaints left unresolved by all other available mechanisms, individuals may invoke binding arbitration.

b. Consequences for Non-Compliance:  In addition to enforcement by the FTC (or Department of Transportation) for its own privacy violations, an organization also remains liable for its agents’ (service providers) failure to comply with the Principles unless the organization can show it was not responsible for the event giving rise to the violation.      

c. Compliance Verification:  Organizations must verify their compliance, either through a documented internal self-assessment process or by engaging a third-party verifier. Organizations must keep records of the implementation of their privacy practices and make them available to enforcement agencies in the course of an investigation.

So long as an organization retains data, it must affirm its compliance to the Department of Commerce on an annual basis. Even if the organization withdraws from the Data Privacy Framework Program, it must continue to treat data collected during the time of its self-certification consistent with the Principles. Alternatively, the organization must either return or delete the information.