Trans-Atlantic Data Privacy Framework - The Evolution and Breakthrough
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were deemed adequate mechanisms to facilitate transfer of personal data when they were initiated in 2016 and 2017, respectively. The Privacy Shield provided companies on both sides of the Atlantic a mechanism with which to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of Trans-Atlantic commerce.
In 2020, however, the Court of Justice of the European Union (CoJ) struck down the adequacy decisions finding the Privacy Shield did not sufficiently protect the fundamental rights and freedoms of EU citizens from U.S. Intelligence activities.
Two years later, on March 25, 2022, the United States and the European Commission committed to a new Trans-Atlantic Data Privacy Framework. This has been considered by many to be a breakthrough from what has been a complex and overdue negotiation between the two parties. The Framework is expected to foster trans-Atlantic data flows that are crucial to companies with global operation, and, at the same time, address the concerns raised by the CoJ in 2020. While it is only an “agreement in principle,” the framework puts the necessary impetus on negotiators to convert it into an agreed upon legal document. Such agreement would be subject to adequacy review by the European Commission with the expectation that it would withstand legal challenge and avoid a Schrems III scenario.
The revised framework reestablishes an important legal mechanism for transfers of EU personal data to the United States and supports high-standard commitments regarding the protection of personal data. Participating companies and organizations that take advantage of the framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles (the “Principles”), including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce.
As part of the framework, the U.S. has committed to strengthen the privacy and civil liberties safeguards and oversight of U.S. intelligence activities and establish a new redress mechanism with independent and binding authority. Specifically, the new Framework provides that U.S. intelligence collection is allowed only to advance legitimate national security objectives, that EU Individuals can seek redress through a new Independent Data Protection Review Court, and that companies will need to obtain or continue with Privacy Shield Certification to adhere to the Framework as a data transfer mechanism.
Potential Impacts & Considerations for Organizations
To support the redress mechanism, a Data Protection Review Court will be established to adjudicate complaints from EU Citizens. The court will have the power to impose remedial measures as needed. The redress system is expected to be “multi-layered” – a term which is yet to be defined. At this point, it is unclear what exact role and obligations companies will have as part of the redress system.
Notwithstanding, companies should evaluate their internal processes for handling individual complaints and their policies for handling requests from the U.S. government to access personal data. The proposed Court may also direct companies to comply with reporting requirements or random audits. As such, companies should be prepared to gather data and report on U.S. government requests for EU Citizen data.
Despite many unknowns about the redress mechanism, it is critical that organizations be proactive and ready to respond to potential new compliance obligations to mitigate risks from mishandling of complaints.
Notably too, companies that take advantage of the framework to facilitate transfer of EU personal data may be required to adhere to the Principles, including the requirement to self-certify. After Schrems II, if an organization might have foregone Privacy Shield Certification for other transfer mechanisms, such as Standard Contractual Clauses (SSC), the benefits from the new Trans-Atlantic Framework could be a reason to revisit the certification transfer mechanism.
Privacy Shield Certification not only provides market-branding benefits, where an organization can point to its adherence to the Principles, but it is considered less burdensome compared to maintaining SCCs (e.g., a change in business process or data processing requiring a new SCC). Further, Certification helps companies maintain compliance because of the required annual recertification.
How Accenture Can Help
In anticipation of the upcoming adoption of the Trans-Atlantic Data Privacy Framework as an authorized data transfer mechanism, we can support companies on navigating the ever-changing privacy landscape, focusing on the following initiatives:
- Redress Mechanism and Complaints Handling
- Intake – define and enhance the complaint intake process and tooling to accurately and completely capture complaints
- Handling – coordination and alignment with corporate functional partners such as Compliance, Legal, IT Security and Data Management as part of complaints investigation, evaluation and containment
- Communication – define the governance and mechanism to facilitate internal and external communications with functional partners, supervisory bodies, and impacted individuals
- Resolution – case management and escalation up to resolution. Management of Government Requests for Access to Personal Data
- Privacy Shield Certification Process
- Fit & Business Case – assess the merits and value/cost to pursue a Privacy Shield Certification (e.g., comparison against SCC, BCR, etc.)
- Readiness Assessment – assess existing privacy program capabilities and controls against Privacy Shield Principles and requirements
- Privacy Capability Enhancement – remediate gaps identified in the Readiness Assessment and build a sustainable program
- Certification – assist in the certification process, including final assessment of program capabilities and controls to support the Privacy Shield Certification
We recommend that companies assess the impact that adoption of the Trans-Atlantic Data Privacy Framework may have on their current EU to US personal data transfers, assess the viability and benefits of Privacy Shield Certification, and take a proactive approach to preparing for anticipated requirements. If you think Accenture could be a partner for your organization’s privacy journey, please feel free to contact the authors of this piece.