The European Union’s (EU) July 10th approval of a new plan that permits companies to continue storing European citizens’ data on U.S. soil ushers in a new era in trans-Atlantic data flow management. After European courts ruled against two earlier agreements, Safe Harbor and Privacy Shield, the approval of this new framework for US-EU data flows is monumental.
The decision will have mostly positive implications for U.S. businesses, especially those involved in advertising and marketing using customer data. Let’s explore the main features of this newly-approved Trans-Atlantic Data Privacy Framework and how it may impact your business.
Why the New Framework?
The rationale behind the new framework stems from an EU court ruling in 2020, which had deemed that an earlier deal around trans-Atlantic data flows was illegal. The cited reason for the court’s decision was the U.S.’ inability to provide an effective mechanism for EU individuals to challenge U.S. governmental surveillance of their data. This previous judgment led the parties involved to search for another solution to ensure legal certainty and continuity in trans-Atlantic data flows that are pivotal for businesses worldwide.
What is the difference between the new framework and the GDPR, you might ask? The Trans-Atlantic Data Privacy Framework serves as a specific set of guidelines that govern the transfer of personal data between the EU and the U.S. In contrast, the General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies within the EU. Both focus on the protection of personal data but apply in different contexts and territories.
It’s also important to note that the new framework applies to transfer of EU citizen data, but there are other U.S. data privacy laws that apply to use of U.S. citizens’ data which may be applicable to your business depending on where it is headquartered.
Key Provisions of the Trans-Atlantic Data Privacy Framework
The Trans-Atlantic Data Privacy Framework requires that the U.S. establish a court authorized to handle EU individuals’ claims and impose remedies in cases where U.S. laws have been violated. As part of this framework, President Biden, via an executive order, announced the formation of the Data Protection Review Court.
This framework is built upon key data privacy principles meant to balance individual privacy rights with the requirements of data transfer between the EU and the U.S. based on EU GDPR standards:
- Notice – Companies are required to notify individuals about the nature of data they collect and the purpose of its use.
- Security – It mandates that businesses implement robust safeguards to protect personal data from unauthorized access and misuse.
- Accountability – The Framework holds companies accountable for abiding by its principles.
- Choice – It emphasizes the right of individuals to opt out of data collection and transfer if they wish to.
- Access – Individuals must have access to their personal data and the right to rectify or erase it.
Some key elements of the framework include:
- Complaints will first be vetted by a civil-liberties-protection officer in the U.S.
- Complaints may then go through a secondary review at the data-protection court if deemed necessary.
- The U.S. also agreed to limit the collection of signals intelligence of EU citizens, which intercepts electronic communications.
Regarding the new framework, European Commission President, President Ursula von der Leyen, said, “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.”
The agreement reflects a joint commitment to data privacy and aims to foster greater economic opportunities in the U.S. and Europe. Nevertheless, this agreement is still likely to face legal challenges from European privacy advocates, who argue that substantial changes to U.S. surveillance laws are necessary.
Data Privacy Implications for U.S. Businesses
The new agreement provides much-needed legal clarity for U.S. businesses engaged in trans-Atlantic data transfers. For businesses involved in advertising and marketing and data-informed sales efforts, this framework presents a more legally secure landscape for accessing and processing customer data, enhancing their ability to tailor products, sell online ads, and measure website traffic more effectively. Still, understanding and addressing the new standards the framework has laid out is critical, and require the following considerations:
- Increased Compliance Requirements. Businesses must align with the principles of the framework, potentially requiring major overhauls in their data privacy policies and practices.
- Enhanced Transparency. Organizations are required to be more transparent about the nature of the data they gather, its usage, and how individuals can exercise their privacy rights.
- Potential Fines and Penalties. Non-compliance can lead to severe financial penalties.
- Improved Trust and Reputation. Compliance with the new framework’s principles can enhance trust among customers and partners, thereby improving a company’s reputation.
Requirements for U.S. Businesses to Participate
For businesses to participate legally in EU-U.S. data transfer under the new framework, they need to both self-verify and publicly pledge adherence to the EU-U.S. Data Privacy Framework (DPF) Principles, a commitment that is legally enforceable under U.S. law. Get started by:
- Enrolling your company (if eligible) at the newly launched website, www.dataprivacyframework.gov
- When enrolling in the main EU-U.S. DPF, you also have the option to certify your compliance with the extensions of the EU-U.S. DPF to the United Kingdom and Switzerland. Note that this certification is not immediate, as both countries need to first complete their own legal processes and acknowledge these transfers as having adequate protection.
- If your business is already part of the EU-U.S. Privacy Shield, you can immediately begin utilizing the EU-U.S. DPF to receive personal data transfers from the European Union/European Economic Area. But, your business is still required to self-certify to the EU-U.S. DPF by October 10.
Keeping Data Privacy at the Forefront of Your Business
With this new framework, it is more important than ever for U.S. businesses to prioritize data privacy, and to take special care to adhere to all principles of the DPF when handling data flows from EU citizens. While the Trans-Atlantic Data Privacy Framework offers better clarity and legal certainty to businesses, it requires formally enrolling in the program, and adherence to the framework is legally enforceable. It is important to closely review the framework requirements and ensure your organization’s continued compliance.
Finally, keep in mind that potential legal challenges may influence the implementation and effectiveness of the DPF. Protect your interests by continuing to monitor these developments and be prepared to adjust your data handling practices accordingly should any legal decisions be made in the near future.