News -

Viewpoint: Trans-Atlantic Data Privacy Framework announcement

Following the recent announcement by the European Commission and the United States government on a new Trans-Atlantic Data Privacy Framework, NCC Group Associate Director Stephen Bailey shares his thoughts on what the latest development in data protection regulation means for organisations and individuals.

Statement of intent

The new Trans-Atlantic Data Privacy Framework, at least in principle, will raise the hopes of many organizations struggling to stay one step ahead of data protection regulators’ enforcement actions across the European Union. But it’s important to keep in mind that this is just a statement of intent and the detail has yet to be worked out, some of which could require legislative change.

New safeguards

There seems to be commitment on the part of the US to address the two main issues that pulled the privacy rug out from under Privacy Shield in the Schrems II case—the access that US public authorities have for national security purposes to personal data transferred from the EU, and the lack of any meaningful redress for those individuals whose data has been accessed. The joint statement references the US putting in place ‘new safeguards’ to ensure that intelligence activities are ‘necessary and proportionate’, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available.

EU to US transfers of personal data currently require the exporter to adopt an approach that provides for appropriate safeguards to a standard that is of “essential equivalence”. One option for this is the use of EU standard contractual clauses (SCCs), plus supplementary measures, for which the European Data Protection Board adopted a set of recommendations, but this approach has not stood up to scrutiny in a number of recent investigations undertaken by supervisory authorities in the EU. The privacy campaigners that brought recent cases have many other similar ones in process so will be watching with great interest.

Root of the problem

At the root of the problem is the fundamental disconnect between the EU and US with respect to privacy. The absence of federated privacy laws in the US and the proliferation of laws at the state level that are still either breach oriented or lacking in providing a specific basis for enforcement creates issues that will make it highly likely that this new framework will once again be successfully challenged.

The joint statement makes no mention of the Court of Justice of the European Union (CJEU), the judicial arm of the European Union that invalidated the adequacy decision for the EU-US Privacy Shield. It’s possible that’s because this is the early stages, but they will no doubt be asked to rule on whatever the new Trans-Atlantic Data Privacy Framework turns out to be. Similarly, the proposed Data Protection Review Court will likely face challenges from a variety of perspectives in the US legal system.

The future

Establishing the Data Protection Review court, if successful might provide the basis for enforcement, but absent a framework similar to GDPR will not support proactive compliance.

But “essential equivalence” will always be a challenge to achieve and maintain until such time as the US passes effective data privacy legislation.

Topics

  • Technology, general

Categories

  • increasing regulatory & legislative requirements

Contacts

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

Schrems II judgement – what does it mean for privacy and personal data in the UK and US?

In the latest news concerning how the personal data of people in the EU is transferred to the United States, the European Court of Justice has ruled that the protections afforded by the EU-US Privacy Shield are not adequate. In this article, we have simplified the case and decision to help you to understand the changes.

What does the EU-US Trans-Atlantic Data Privacy Framework mean for organisations?

Stephen Bailey, Global Privacy Services practice lead at NCC Group shares a useful summary of the new European Union & United States data privacy network – the Trans-Atlantic Data Privacy Framework and what it means for organisations and individuals.

Protecting our data: UK Government publishes Data Protection and Digital Information Bill

In July this year, the UK Government published its newly reformed data protection bill, the Data Protection and Digital Information Bill, aiming to improve upon previous regulations and simplify the UK’s data protection landscape. Stephen Bailey, Global Privacy Services practice lead at NCC Group, provides his thoughts on the Bill

Spotlight: ISO 31700 standard – Protecting the consumer with privacy by design

The ISO 31700 standard focused on privacy by design for consumer goods and services came into effect on 8 February 2023. Stephen Bailey, Global Privacy Services practice lead at NCC Group shares thoughts on how this could help in the world of consumer protection.

Schrems II Judgement: A US Perspective


It has been a few weeks since the decision was made to invalidate Privacy Shield under what is being referred to as the Schrems II Case.
As a quick reminder, Maximillian Schrems, an Austrian citizen, raised a complaint against Facebook Ireland to the Irish Data Protection Commissioner. In the complaint, Mr. Schrems claimed the transfer and processing of his personal data outside of the Eur