Global trade has been growing for decades, as most economies accelerated their globalization since the 1990s, using digital technology as a key catalyst that helped industries interconnect further and innovate.
That explains why the recent agreement between the United States and the European Union on a new Trans-Atlantic Data Privacy Framework is highly consequential and deserving of attention from businesses and professionals in the US and the EU.
The EU General Data Protection Regulation (GDPR) Article 44 describes the general principles for data transfers from the EU to third countries (including the US), while Article 45 describes the power of the European Commission to determine whether a country outside the EU offers an adequate level of data protection that can be used as a basis for data transfers toward that country.
Previously, the EU-US Privacy Shield served as a framework for regulating EU to US data transfers, but the Privacy Shield was invalidated by the European Court of Justice in 2020, leading to legal limbo that put many companies in a difficult position to determine how and when to transfer data. The new agreement is a promising sign that companies on both sides of the Atlantic will soon be on much sturdier footing.
This focus on strengthening the data privacy landscape is urgently needed; as the ISACA Privacy in Practice 2022 report notes, failure to build privacy by design into applications and services, a lack of training, and subpar detection of personal information remain prevalent failures damaging companies’ reputations and relationships with customers.
Now there is new cause for optimism. According to a joint statement, “The Trans-Atlantic Data Privacy Framework reflects more than a year of detailed negotiations between the U.S. and E.U. led by Secretary of Commerce Gina Raimondo and Commissioner for Justice Didier Reynders. It will provide a durable basis for trans-Atlantic data flows, which are critical to protecting citizens’ rights and enabling trans-Atlantic commerce in all sectors of the economy, including for small and medium enterprises. By advancing cross-border data flows, the new framework will promote an inclusive digital economy in which all people can participate and in which companies of all sizes from all of our countries can thrive.”
Taking a closer look, the agreement includes the following principles:
- Data will be able to flow freely and safely between the EU and participating U.S. companies.
- Rules and safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security; U.S. intelligence services will adopt oversight measures on privacy and civil liberties standards.
- A two-tier redress system to investigate and resolve complaints by Europeans on data access by US intelligence authorities, including a Data Protection Review Court.
- Strong obligations for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce.
- Specific monitoring and review mechanisms.
Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce. EU individuals will continue to have access to multiple avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolution and binding arbitration.
The agreement will be scrutinized by EU privacy watchdogs, followed by the “comitology” procedure with EU member states and further work in the European Parliament. The agreement also needs to be translated into legal documents. The U.S. commitments will be implemented via an Executive Order that will form the basis for a draft adequacy decision by the Commission to put in place the new Trans-Atlantic Data Privacy Framework. It is not clear how long this will take, but we can reasonably expect a few weeks at minimum. Taking into account the formal adoption process of a decision, this is likely to extend to a few months.
So, there are many important steps ahead, but the progress that has been made is encouraging. This agreement is extremely significant, both for providing clarity in data rules for individuals and in accommodating transatlantic business transactions. In an era when global collaboration and responsible data governance are both essential components on the enterprise landscape, this framework can position companies for success, while laying the groundwork for further cooperation around the globe.