Trans-Atlantic Data Privacy Framework: everything you need to know 

Trans-Atlantic Data Privacy Framework: everything you need to know 

On the 15th of March 2022, the European Commission and the United States (US) announced that they had agreed on a new Trans-Atlantic Data Privacy Framework. The framework is designed in such a way that it would regulate trans-Atlantic data flows. Or, more specifically, the data flows between the United States and Europe. 

Why was the Trans-Atlantic Data Privacy Framework called into life, and what exactly does it consist of? Read further and get acquainted with all the ins and outs about the new data privacy framework.

Why does the Trans-Atlantic Data Privacy Framework exist?

The new framework is a direct result from a decision that was taken in July 2020 by the Court of Justice of the European Union (CJEU). The decision revolved around the Privacy Shield framework, which provided for the possibility for lawful transfer of personal data from the US to the European Union (EU). At the same time, it ensured a strong set of data protection requirements. It enabled EU businesses to legally transfer personal data to US-based companies. But, the Privacy Shield framework wasn’t mandatory. That is to say, only the businesses that were voluntarily certified under the Privacy Shield had to keep to its principles.

Long story short, the framework was deceptive and didn’t do its proper job. The CJEU declared the Privacy Shield Decision invalid on account of invasive US surveillance programs. This way, transfers of personal data on the basis of the Privacy Shield Decision became illegal. The response of both the EU and the US was to develop a new framework that would do its proper job. Indeed, this became the Trans-Atlantic Data Privacy Framework. The purposes of this agreement are to strengthen privacy and civil protection from intelligence agencies. Also, new mechanisms for individual protection were implemented.

What is the Trans-Atlantic Data Privacy Framework: its principles

The European Commission has distinguished several principles that are central to the new framework. These are the following:

  • Personal data will be able to flow freely and securely between the EU and the participating US companies.
  • A new set of rules will restrict the access of the US intelligence services. This ensures that access takes place only if it is necessary and proportionate to ensure national security. It should secure disproportionate invasion to the rights and freedoms of individuals.
  • A new two-tier system will ensure that complaints from EU citizens about access to data by US intelligence services are investigated and dealt with. A new and independent Data Protection Review Court is being set up for judicial review.
  • There are strict obligations for US companies that process data transferred from the EU. This includes, in particular, the obligation to confirm compliance with the agreement to the US Department of Commerce by means of self-certification.

How was the Trans-Atlantic Data Privacy Framework developed?

The Trans-Atlantic Data Privacy Framework is the outcome of a year of negotiations between the US and the EU. The framework focuses specifically on businesses, with the EU stating that this new framework “will promote an inclusive digital economy in which all people can participate and in which companies of all sizes from all of our countries can thrive”.

Does it protect individual privacy?

So, the data privacy framework is a mechanism for companies. Think, for example, about social media platforms. It allows them to transfer data of individuals between data centers in the US and EU. While the EU claims that the GDPR protects its citizens‘ right to data privacy, the US didn’t have such a national law. So while the right to privacy is part of the US constitution, online privacy isn’t covered under these laws.

Because of these reasons, a compliance framework for data sharing was deemed necessary. What is quite remarkable is that the framework almost exclusively talks about the economic value that it has for companies and businesses. If the law that should protect individual privacy is written with the market in mind, can it still protect the individual?

Unfortunately, this doesn’t seem to be the case. Scientists argue that it is close to impossible for market mechanisms to resolve problems such as how to determine the socially optimal level of privacy protection and how to avoid excessive privacy loss.

Copy pasting GDPR

That’s indeed not a good base to build from. To add, the new framework seems to be largely following the principles as stated in the European GDPR law. There is already quite some critique on this law, for example that the law isn’t restrictive and clear enough.

Another critique on the GDPR legislation is that it is already somewhat dated. The legal instrument of the GDPR is a step towards more individual control. Yet, some threats to individual control remain entrenched in the legislation. This has mostly to do with the fact that in the end, the person on the other side is responsible for the protection of your personal data. Trust is, therefore, a big factor, but unfortunately trust is often broken. Especially when the incentive of money is involved.

Concluding the Trans-Atlantic Data Privacy Framework

All and all, it looks like the Trans-Atlantic Data Privacy Framework is developed based on already dated principles. Sure, they have been updated somewhat. But, the combination of dated principles and market mechanism doesn’t provide a very convincing argument for the actual protection of individual online privacy. Not to mention that the former Privacy Shield framework was also deemed insufficient. There is a lot of lacking information about how exactly the deficiencies from the former framework were tackled within the development of this new framework. In fact, it doesn’t seem like these problems were overcome.

So, how to protect your privacy online?

To be sure that your data is protected, you will need extra measurements. As an individual, but especially as an employer or business. To be sure your data will not be stored and shared, make use of data blockers, make sure to cover your webcam, take a look at these five ways to protect your privacy online, or take a look at some other privacy measures that can be taken here.

Reading next

5 ways to protect your privacy online
The dangers of juice jacking for your organization and how to prevent it