New TADP Framework Will Govern Transfer of Data Between EU and USA

Earlier this year, the United States and the European Union (“EU”) announced the new Trans-Atlantic Data Privacy (“TADP”) Framework to address data privacy and protection of EU citizens’ data. This replaces previous agreements that governed the transfer of such data, specifically the Safe Harbor Framework and the Privacy Shield Framework, which were invalidated by EU court decisions in 2015 and 2020 respectively.

TADP to Safeguard EU Citizens’ Data and Reduce US Compliance Cost

Such agreements governing the transfer of data between the EU and United States work in conjunction with the EU General Data Protection Regulation (“GDPR”), which requires that personal data flowing between the EU and other countries must be protected in ways equivalent to EU privacy and protection standards. As the United States and the EU have significantly different protections and standards when it comes to data privacy, TADP is expected to help significantly reduce the cost of compliance for U.S. companies.  Currently, the transfer of such data between the EU and the United States affects over 7.1 trillion U.S. dollars and over 5000 companies that self-identity and certify that they meet the qualifications to transfer such data.

As it stands, TADP will improve current safeguards for data privacy and protection of EU residents’ data and requires U.S. companies that participate to meet a more stringent standard of protection. U.S. law currently allows government agencies to access private citizens’ data for intelligence purposes. Going forward, TADP will require the United States prove that intelligence activities are “necessary and proportionate” when accessing the personal data of EU citizens after it has been transferred to the United States. If redress for EU citizens is necessary, TADP also provides for the creation of a new court, the Data Protection Review Court, which will have the authority to rule over claims regarding the same.

Once TADP is in Effect, US Companies with EU Clients Must Meet Stringent Privacy Requirements

While not all the details of TADP have been fully fleshed out, President Biden is expected to sign an Executive Order outlining new U.S. commitments to privacy, in connection to TADP, which will then be forwarded to the European Commission to determine if the proposed measures are sufficient for EU purposes. As such, because specific details and requirements are still in limbo, it behooves privacy counsel to recognize that, if working for clients with EU presence that requires such data transfers, they must work with their EU counterparts to ensure that they meet EU standards as required by the GDPR.

In the past, in the absence of formal guidance by law, many international companies utilized standard contractual clauses to govern data transfers between the EU and United States. It makes sense then, until TADP is officially formalized, that many companies should expect to continue to do so. Once TADP is fully approved and published, then counsel will need to ensure that its clients adhere to the standards when required.

Key Takeaways on New TADP Framework

The EU and United States have agreed to the new Trans-Atlantic Data Privacy Framework. It behooves counsel to know:

• This replaces the Privacy Shield Framework that was invalidated by the EU in 2020;

• It will be more stringent and require that U.S. intelligence agencies prove access to EU citizens’ data is necessary and proportionate; and

• EU citizens will have access to the to-be-formed Data Protection Review Court, which will provide redress for citizens who believe their rights to be violated.

For more information about data privacy, see our Technology and Data and Industry Focused Legal Solutions pages.