What does the EU-US Trans-Atlantic Data Privacy Framework mean for organisations?

In October 2022, President Biden of the United States signed an Executive Order (EO) to implement a new European Union and United States data privacy network – the Trans-Atlantic Data Privacy Framework (EU-U.S. DPF).

Stephen Bailey, Global Privacy Services practice lead at NCC Group summarises what this new framework is, and shares thoughts on what it means for organisations and individuals.

What is the EU-US Trans-Atlantic Data Privacy Framework?

The EU-U.S. DPF was first announced by President Biden and European Commission President von der Leyen in March 2022. Its purpose is to re-establish the legal framework around the transfer of personal data from the EU to the US, known as transatlantic data flows.

The framework was created after the Court of Justice of the European Union raised concerns about the existing legal framework on transatlantic data flow – the EU-US Privacy Shield – leading to more than a year of negotiations between the EU and US.

In October 2022, President Biden signed an Executive Order that will see US commitments made in the new framework become a reality.

What areas of the framework do organisations need to be aware of?

As set out by the EU, the framework has five key principles:

• Data will be able to flow freely and safely between the EU and participating US companies
• A new set of rules and binding safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security
• A new two-tier redress system to investigate and resolve complaints of Europeans on access of data by US Intelligence authorities, which includes a Data Protection Review Court
• Strong obligations for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the framework through the U.S. Department of Commerce
• Specific monitoring and review mechanisms

In particular, organisations should be most aware of the fact that they will be expected to adhere to the principles of Privacy Framework which means ensuring that they know what personal data they are processing from the EU and who they involve in any aspects of that processing.

What’s next, now the framework is being implemented?

The steps taken by the EO will provide the European Commission with a basis to adopt a new adequacy determination, which means recognising that the US provides the same level of data protection as the EU. This will support data transfer under EU law in a way that is accessible and affordable. It will also give clarity and legal certainties to organisations involved in the transfer of data, including companies using standard contractual clauses and binding corporate Rules to transfer EU personal data to the United States.

How will this impact UK organisations?

Shortly after the EO was published, the UK Digital Secretary and US Secretary of Commerce met to discuss digital priorities, after which they released a joint statement in which the UK indicated that it would provide for a ‘stable and reliable mechanism for UK-US data flows’ and the US stated their intention to ‘work to designate the UK as a qualifying state under the EO’. While positive adequacy decisions from the EU and UK are not guaranteed by any stretch, they are looking likely given the level of support behind them. While those adequacy decisions go through their separate processes, it is important to continue conducting Transfer Impact Assessments (TIAs) or Transfer Risk Assessments (TRAs). Knowing what data you want to transfer and why is never wasted effort.

NCC Group welcomes these conversations, and was represented, alongside other FTSE250 companies, at the business roundtable that discussed the joint statement and shared priorities with the UK and US teams. It is continuing dialogue with policy-makers to ensure industry experience informs international data policy, something which will be important to ensure a safe and secure future for data transfer within these territories.

To read the full announcement of the EU-U.S. DPF, click here.