Skip to content
Viewpoint: Trans-Atlantic Data Privacy Framework announcement

News -

Viewpoint: Trans-Atlantic Data Privacy Framework announcement

Following the recent announcement by the European Commission and the United States government on a new Trans-Atlantic Data Privacy Framework, NCC Group Associate Director Stephen Bailey shares his thoughts on what the latest development in data protection regulation means for organisations and individuals.

Statement of intent

The new Trans-Atlantic Data Privacy Framework, at least in principle, will raise the hopes of many organizations struggling to stay one step ahead of data protection regulators’ enforcement actions across the European Union. But it’s important to keep in mind that this is just a statement of intent and the detail has yet to be worked out, some of which could require legislative change.

New safeguards

There seems to be commitment on the part of the US to address the two main issues that pulled the privacy rug out from under Privacy Shield in the Schrems II case—the access that US public authorities have for national security purposes to personal data transferred from the EU, and the lack of any meaningful redress for those individuals whose data has been accessed. The joint statement references the US putting in place ‘new safeguards’ to ensure that intelligence activities are ‘necessary and proportionate’, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available.

EU to US transfers of personal data currently require the exporter to adopt an approach that provides for appropriate safeguards to a standard that is of “essential equivalence”. One option for this is the use of EU standard contractual clauses (SCCs), plus supplementary measures, for which the European Data Protection Board adopted a set of recommendations, but this approach has not stood up to scrutiny in a number of recent investigations undertaken by supervisory authorities in the EU. The privacy campaigners that brought recent cases have many other similar ones in process so will be watching with great interest.

Root of the problem

At the root of the problem is the fundamental disconnect between the EU and US with respect to privacy. The absence of federated privacy laws in the US and the proliferation of laws at the state level that are still either breach oriented or lacking in providing a specific basis for enforcement creates issues that will make it highly likely that this new framework will once again be successfully challenged.

The joint statement makes no mention of the Court of Justice of the European Union (CJEU), the judicial arm of the European Union that invalidated the adequacy decision for the EU-US Privacy Shield. It’s possible that’s because this is the early stages, but they will no doubt be asked to rule on whatever the new Trans-Atlantic Data Privacy Framework turns out to be. Similarly, the proposed Data Protection Review Court will likely face challenges from a variety of perspectives in the US legal system.

The future

Establishing the Data Protection Review court, if successful might provide the basis for enforcement, but absent a framework similar to GDPR will not support proactive compliance.

But “essential equivalence” will always be a challenge to achieve and maintain until such time as the US passes effective data privacy legislation.




NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom