The European Commission, on December 13, issued a draft adequacy decision regarding a data privacy agreement that concerns data flows to the US. The draft decision brings the agreement a step closer to adoption. Once adopted, the EU-US Data Privacy Framework would allow US companies to store European users’ information, albeit under certain restrictions.
The Commission found the US’s data privacy protection frameworks, enshrined in the agreement, satisfactory. It has now forwarded its draft adequacy decision to the European Data Protection Board for further review. After that, the agreement will move to the European Parliament for adoption.
Under its terms, the data privacy agreement would bind US companies from sharing EU citizens’ data with US law enforcement and intelligence bodies unless it’s a matter of national security. Further, US companies would be liable to delete users’ information after a certain period.
The transatlantic data privacy framework could resolve the longstanding data privacy row between the EU and the US. The Court of Justice of the European Union (CJEU), in the Schrems II decision, had ruled the US’s previous data protection efforts as lacking.
In recent memory, differences in data protection have led to several rulings by European authorities against US companies for violating the General Data Protection Regulations (GDPR)—a data protection framework applicable in Europe. For instance, Ireland’s DPC ordered Facebook to stop EU data transfers, as the company was in violation of GDPR.
EU-US Data Transfers—a Troubled History
Since 2015, data transfer between the EU and the US had been governed by the Data Privacy Shield treaty. But, the CJEU annulled the treaty in July 2020 due to its lack of compliance with GDPR. Under GDPR, a multinational company can only send information outside of the EU if the manner is compliant. In case of non-compliance, the penalty is 4% of the violating entity’s global turnover or up to EUR 20 million. In the past, Facebook had warned of shutting its European operations because of these stringent data protection frameworks.
The draft adequacy decision comes months after US President Joe Biden and the Commission’s President Ursula Von Der Leyen reached a preliminary agreement for transatlantic data flow. In addition to staving off the danger of US companies being shut out of the EU, the agreement will facilitate smoother data transfer between the EU and the US.
From the EU’s perspective, US companies and intelligence agencies have enjoyed unfettered access to its citizens’ information without due cause. This led to the breakdown in transatlantic data transfer—though a resolution is now in sight.
What the Transatlantic Data Privacy Framework Provides
The data privacy framework will force US companies to comply with certain privacy obligations. For example, US companies will have to “delete personal data when it is no longer necessary for the purpose for which it was collected…” Furthermore, they’ll have to “ensure continuity of protection when personal data is shared with third parties.”
In practice, “continuity of protection” might prove to be problematic. With transitive dependencies and open-source vulnerabilities, bad actors can compromise customer data stored on company servers in several ways. This can leave even compliant companies open to lawsuits.
Lawsuits are a real threat under this new framework. In case of data leakage, EU citizens could avail themselves of a redressal process and sue the violating company. The Commission’s statement read, “EU citizens will benefit from several redress avenues if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel.”
Effects of Transatlantic Data Privacy Framework on Business Operations
GDPR was introduced in 2018 and has, since then, led to an overhaul in how EU businesses store and transfer customer information. A summary of the requirements it introduced is as follows:
- Appointing a Data Protection Officer (DPO)
- Assessing data privacy measures
- Outlining a data management plan
- Implementing tools for user consent
- Documenting compliance, record keeping, and auditing processes
- Identifying data breach protocols
Under GDPR, EU citizens have eight fundamental rights: access to data, data erasure, data rectification, restriction of processing, notification of changes to data, data portability, objection to the use of data, and a refusal of automated decision-making. The transatlantic data privacy framework will bind US companies to observe these rights in their interactions with EU citizens’ data. Failing which, EU citizens would have an easy (and free) means of litigation.
Although individual data privacy is paramount, the framework seems to be a little harsher on businesses. In cases of non-compliance, EU authorities can slap exorbitant fines for GDPR violations on micro businesses and mega-corporations. This means companies hit by a cybercrime would have to also pay for failing to adhere to a higher security standard—thus, paying twice for one mistake. This may put smaller businesses in danger of going bankrupt.
What’s worse for them is that cybercriminals actively seek security vulnerabilities, and these businesses don’t have the capital to hire expensive cybersecurity managers to prevent them. But, a better option exists. To avoid data breaches and incurring compliance fines, companies can invest in network software for monitoring, filtering spam, and identifying and patching security vulnerabilities. Such software could limit a company’s exposure to a number of attack vectors that cybercriminals use.
Big Tech—the Main Target?
The reason modern websites ask visitors’ consent to use their cookies is that GDPR requires it. Measures like it may become more commonplace once the new framework comes into force. For example, businesses may need to hire compliance officers and implement web protocols to handle data responsibly and protect networks, respectively.
But, it seems the transatlantic data privacy framework may be aimed more at mega-corporations. Since these corporations have intentionally misused customer information in the past, the framework offers a free litigation process to EU citizens.
That said, mega-corporations like Facebook also play a vital role in helping small business enterprises through advertising, marketing, and social networking. All the advantages that they risk losing if a broad-scale shutdown of transatlantic data transfers comes to pass.