The EU-U.S. Transatlantic Data Privacy Framework: What companies need to know now
Author: Maximilian Giffhorn· 3 mins read
In light of the current developments in the EU-U.S. Transatlantic Data Privacy Framework, it is crucial for companies to develop a sound understanding of the associated requirements. This article highlights the fundamental aspects of this framework and provides practical recommendations to help companies ensure their data transfers are legally compliant.
The history of data protection between the EU and the USA
In recent years, the data privacy issue between the EU and the US has repeatedly made headlines. After two previous agreements, Safe Harbor and Privacy Shield, had already failed, the Transatlantic Data Privacy Framework was presented by the European Commission in July 2023 as a new approach. The Edward Snowden revelations and the resulting legal battles led the ECJ to invalidate the two previous agreements in 2015 and 2020. The main concern was that the U.S. did not provide an adequate level of data protection, which violated the fundamental rights of EU citizens.
The Transatlantic Data Privacy Framework in Detail
The Transatlantic Data Privacy Framework was created in response to the requirements of the European Court of Justice and aims to make the transfer of personal data between the EU and the US legally secure. The Transatlantic Data Privacy Framework was designed to ensure that U.S. intelligence agencies do not simply ignore treaty privacy provisions. Thanks to an “Executive Order” issued by President Biden in 2022, the powers of U.S. intelligence agencies have been curtailed and the rights of EU citizens have been strengthened.
Key features of the Transatlantic Data Privacy Framework
Proportionality: U.S. intelligence agencies must deem access to EU citizens’ data to be proportionate.
Complaint Procedure: EU citizens now have the ability to complain directly to the U.S. intelligence agencies’ Civil Liberties Protection Officer.
Review Procedure: If dissatisfied, EU citizens can appeal to the Data Protection Review Court, an independent body that can make binding decisions.
Despite this progress, there is still criticism and uncertainty about data transfers to the US. It remains to be seen how the ECJ will evaluate these new measures. Nevertheless, the Transatlantic Data Privacy Framework provides a legal framework that takes data protection seriously and is an improvement over previous agreements.
Are U.S. services like Amazon safe now?
Despite the introduction of the Transatlantic Data Privacy Framework, questions remain about the security of U.S. services like Google. While the Transatlantic Data Privacy Framework provides a certification option, companies must actively verify that the services they use actually have it. But even such certification alone is not enough. It is essential to obtain the user’s consent, for example through a cookie banner, in order to comply with legal requirements.
In addition, there are legal considerations that should not be ignored. Privacy activists, especially individuals such as Max Schrems, could challenge the Transatlantic Data Privacy Framework in court. Although the use of Transatlantic Data Privacy Framework-certified services is currently considered legally safe, there remain concerns and potential risks for the future. There is a possibility that the Transatlantic Data Privacy Framework will be challenged in the courts in the coming years, which could once again put companies in a position of uncertainty.
Identify services: Identify all U.S. services on your site and bring in experts as needed.
Verify certification status: Make sure the service is Transatlantic Data Privacy Framework certified. You can access information about this here.
Ensure consent: Properly obtain consent from users.
The Transatlantic Data Privacy Framework provides some legal certainty for data transfers between the EU and the US. However, companies should be cautious and keep up to date with the latest legal developments. For maximum security, companies might consider using only EU-based services.