Simon Coulthard September 19, 2023
Brussels - the European Commission has adopted a new EU-US Data Privacy Framework (TADPF). This adequacy decision came into force on July 10th 2023, and facilitates the transfer of personal EU citizen data by US companies across the Atlantic.
This is a significant event for transatlantic data privacy requirements. In effect, this decision legimitizes the transfer of personal data from the EU to the US.
It’s also a surprise too since members of the European Parliament and the EDPB had previously advised against this course of action.
Max Schrems - founder of citizen action group NYOB (the European Center of Digital Rights) is also challenging it in court. This will pave the way for a “Schrems III” decision at some point in 2024 or 2025.
Read about the Data Privacy Framework on the European Commission website.
Our advanced website intelligence solution will enable anyone to grow their website quickly - all while also staying data privacy compliant!
It goes without saying that trans-Atlantic data transfer is big business.
It underpins more than $1 million worth of trade and investments each year, making it crucial to a US-EU economic relationship that is valued at $7.1 trillion. This also means that there is strong political support for data transfer capabilities on both sides of the pond.
In this context, the Schrems II ruling - and its invalidation of the US-EU Privacy Shield - created a roadblock in 2020.
This decision had a particularly significant impact on the 5,000-odd US companies that relied on this data protection shield to conduct their own cross-Atlantic commerce without legal worries.
Indeed, many still think that a robust Privacy Shield II is all but impossible in the post-GDPR landscape.
But the deadlock on transatlantic data flows goes back further, also running back to Schrems I. And in much the same way, this invalidated the Safe Harbor agreement in 2015. In fact, Max Schrems argues convincingly that it goes back 23 years.
The arrival of TADPF will work to resolve this issue. It ultimately enables US companies to take advantage of business opportunities centered around EU resident online data.
The decision acts as a separate tool with which to meet the justification requirements for data transfer under GDPR - a law that has real implications for digital marketers.
As such, it exists alongside other EU justification mechanisms, such as Standard Contractual Clauses, Binding Corporate Rules, and also the Codes of Conduct.
And with this compliance meaning that businesses will also meet all other global data privacy requirements, it's a fertile avenue to explore.
It’s a particularly useful avenue for small and medium-sized businesses, with the DPF program making personal data transfers from the European Economic Area more affordable and also easier to do.
The Data Privacy Framework has successfully resolved many of the issues that were raised during the drafting process. However, time will tell whether it is capable of withstanding legal challenges given federal data access rights in the US impinge on the data security of EU citizens.
Challenges to TADPF are also already on the horizon.
NOYB - Max Schrems' data privacy non-profit - has already indicated that it will challenge the data privacy framework in court. In essence, it sees this as a copycat of the failed Privacy Shield but with little change in US law or even the EU’s approach to it.
"We now had 'Harbors', 'Umbrellas', 'Shields' and also 'Frameworks' - but no substantial change in US surveillance law. The press statements of today are likewise almost a literal copy of the ones from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work - and we simply don't have it."
- Max Schrems, None of Your Business (NYOB)
However, this will take time.
The "Schrems III" decision could be over a year in the future, and this means that we're also no closer to resolving what is a key political trade war in the West.
The Data Privacy Framework enables participating businesses to freely transfer personal data from the EU to the US. Crucially, this does away with the need for any additional data transfer safeguards or derogation such as the EC’s Standard Contract Clauses.
It’s also worth noting that - much like GDPR - the TADPF impacts all US companies, regardless of whether they’ve self-certified to the program or not. And with misuse of personal data enforcable under US law, this also makes it an important consideration for all businesses.
Any companies previously certified under the Privacy Shield will need to update their privacy policies to reflect TADPF principles, and will also need to do this before October 10th, 2023.
To help companies acclimatize to this new framework, the US Department of Commerce has a Data Privacy Framework program website. It exists as a public resource center, and to also enable US companies to self-certify their participation before transferring personal data across the Atlantic.
Participation in the program will correspondingly enable US businesses to legally export personal data from the EU.
But to be eligible, companies need to self-certify and also commit publicly to the DPF principles. This can be done by signing up for the EU-US DPF on the government’s Data Privacy Framework website.
Similarly, they can also certify with the UK Extension to the EU-US DPF and also the Swiss-US DPF if they operate in either of these two locations.
These different compliance measures also serve to highlight just how far away politicians are from creating an optimal legal framework for businesses, something that will hopefully be cleared up in the coming years.
Our advanced website intelligence solution will enable anyone to grow their website quickly - all while also staying data privacy compliant!
While the EC’s ratification of TADPF is welcome, there’s still the concern that they’re failing forward towards the inevitable Schrems III that will play out over the next year.
The US and Europe take a different stance on governmental access right to information that businesses hold on internet users. This philosophical divide shows no sign of narrowing, and personal data sits very much in the no man’s land between the two camps.
And in sum, businesses can take little solace from the data privacy framework's arrival. Whatever the intentions, it still feels like we’re closer to the illegalisation of the TADPF than we are to a sustainable cross-Atlantic data transfer arrangement. This is a shame. It also points to the difficulty of even similar First World nations reaching working agreements on issues with mutual interests.
Given this, wise businesses will continue moving away from using personal data.
This is being facilitated by privacy-first technologies that are designed to function without dragging users into data privacy compliance issues.
TWIPLA is a leading player in the privacy-first website analytics sector, using advanced cookieless tracking technology to assess website performance.
It’s the most popular platform on Wix, and is being used to help over 2.5 million website owners around the world meet their goals.
TWIPLA is an all-in-one solution of website intelligence tools. Standard website statistics reports are complemented by visitor behavior analytics and also visitor communication features. Crucially, it can also be used from launch to collect actionable insights on website visitors without affecting their personal data privacy rights.
Sign up to TWIPLA for free and start your migration away from both personal data dependence and TADPF data transfer concerns.
Gain World-Class Insights & Offer Innovative Privacy & Security