Why Organizations Should Not Rely on the New EU US Privacy Framework in the Long-Term

Written by

In 2022, the European Commission and the United States reached a preliminary agreement for a Trans-Atlantic Data Privacy Framework (TADPF). The new framework, approved following President Joe Biden’s executive order in October 2022, aims to enable data sharing between the EU and the US without additional safeguards or measures. The new set of rules and safeguards, among other things, limits access to data by US intelligence authorities, provides a two-tier redress system to investigate and resolve complaints of Europeans regarding access to data by US intelligence authorities, imposes substantial obligations on companies processing data transferred from the EU, and establishes specific monitoring and review mechanisms.

The US and Europe are considered each other’s most vital commercial partners for digital services, according to the U.S. Bureau of Economic Analysis. Transatlantic data flows make up over half of Europe’s data transfers and around half of the US’s global data transfers. These data flows allow for online communication, monitoring of global supply chains, sharing research, providing cross-border services, supporting technological innovation, and more. 

Participating organizations and companies who wish to take advantage of the TADP Framework to secure data transfers must comply with the principles set out therein and self-certify through the U.S. Department of Commerce. These principles align with those established for the Privacy Shield, meaning companies already certified under the Privacy Shield may also be eligible for certification under the TADPF. Additionally, there are supplementary principles and special provisions for sensitive data such as employment data, medical research data or journalism-related data. Self-certification must be renewed annually.

The new EU US Privacy Framework offers advantages to both data importers in the US and data exporters in the EU. The TADPF simplifies the self-certification process for data importers located in the US and eliminates the need for due diligence for EU-based data exporters, compared to other mechanisms such as standard contractual clauses.

However, while the TADPF may seem attractive to companies, there are several reasons why organizations may be hesitant to rely on it. Firstly, this is the fourth attempt to create a mechanism for the cross-border transfer of personal data from the EU to the US, with previous attempts, such as the Privacy Shield and the Safe Harbor framework, being declared invalid or repealed. Most recently, the Privacy Shield was declared invalid by the European Court of Justice in its ‘Schrems II’ ruling of July 16, 2020. Secondly, the stability of the TADPF is uncertain due to the nature of executive orders in the US, which are subject to reversal and invalidation. As executive orders can be easily overturned by incoming presidents, it is uncertain whether the TADPF will endure. If the current executive order by President Joe Biden is reversed, the TADPF will likely also become invalidated.

Given the history of previous adequacy frameworks and the current political climate, there is a high probability of the TADPF being invalidated in the future, either through a court challenge or the reversal of the executive order it rests upon. Therefore, organizations should view the TADPF as a temporary measure with potentially a limited-term lifespan. If organizations choose to rely on the TADPF, it is recommended that they work to develop a long-term strategy, including the use of other accepted methods for transferring data, such as standard contractual clauses and binding corporate rules, and perform transfer impact assessments as needed.

Moving personal data from the EU and choosing a service provider based in the US is a crucial aspect of many organizations’ long-term investment strategies. Relying exclusively on the TADPF, which carries a high risk of collapse within a few years, would not be wise. Organizations should consider alternative transfer mechanisms with a more stable and secure future. If your organization needs advice on privacy frameworks and data breaches, you can contact a privacy lawyer for accurate representation.

What’s hot on Infosecurity Magazine?