January 13, 2023

    What is the Trans-Atlantic Data Privacy Framework?

    The Trans-Atlantic Data Privacy Framework (DPF) is an agreement that helps US and EU companies work together to address the differences in legal requirements for data protection in both regions. By self-certifying that they have met the standards set forth by this framework, organizations can demonstrate compliance with European Union (EU) laws on personal data privacy and other trade regulations.

    Arrival of the Trans-Atlantic Data Privacy Framework (DPF)

    The EU General Data Protection Regulation (GDPR) is a regulation that replaced the Data Protection Directive. It was enacted in May 2018, and it's a set of rules that govern how companies handle personal data. However, with the arrival of GDPR and other similar data privacy and protection laws in Europe, the United States and the EU have now created a framework to enable continued data transfers across borders.

    In March of 2022, the U.S. and EU reached a new political agreement for data protection. The Trans-Atlantic Data Privacy Framework (TADPF) is a legal framework for data transfers that helps businesses comply with both EU and US data privacy laws. It also creates consistency in requirements for data transfers between the EU and the United States. The framework reflects the US commitment to protecting individuals’ privacy rights and provides an efficient means for companies to comply with both US and EU data privacy laws.

    The TADPF & Privacy Shield

    The TADPF is meant to supplement existing agreements like Privacy Shield. Privacy Shield created a self-certification structure enabling companies to participate in cross-border transfers of data while upholding a set of standards and protections that are in line with EU law.

    This framework was put in place because there was concern that existing measures were not sufficient to deal with the unique nature of transatlantic data flows and their implications for privacy protection.

    Who will be required to comply with the TADPF?

    This framework is not mandatory, but many companies with EU operations or customers may find that they benefit from complying with it.

    Aside from organizations involved in US-EU trade, there are two main routes to TADPF compliance:

    • All organizations should be able to comply with the principles of the framework through their existing data privacy programs, which should already include adequate data protection measures. This can be achieved by ensuring security controls for personal data are applied consistently across all relevant systems and processes, as well as ensuring that employees have appropriate training on these issues. Organizations also need to be able to show how they are managing third-party vendor relationships so that personal data is protected throughout the supply chain.
    • Those who cannot comply with these requirements will need to appoint a representative located within the EU—a “lead supervisory authority”—and commit themselves to working closely with this lead authority on their compliance activities going forward.

    TADPF Self Certification

    Organizations wishing to comply with the TADPF will need to do so by self-certifying, but no current program requires organizations to undergo additional certification beyond existing frameworks, such as Code of Conducts. The TADPF outlines a number of requirements for organizations that wish to comply with the framework. These include:

    • Ensuring that its data transfer activities are compliant with EU law, including the GDPR and applicable national data protection laws
    • Implementing appropriate safeguards (such as binding corporate rules or model clauses) for transfers outside of the EU.

    For example, an organization that is already participating in Privacy Shield or has its own Data Protection Agreement with a data protection authority (DPA) can participate in the TADPF without needing any additional certification from either the European Commission or another supervisory authority.

    Conclusion

    The Data Protection Framework is one of the biggest steps forward for data protection in Europe. It requires companies that handle sensitive information to comply with strict standards for handling such data—including transparency about how they collect and use it, security safeguards (such as encryption), only storing what is required, taking action if there are breaches related to third parties etc.— while also giving them an opportunity to demonstrate their compliance through self-certification under the EU's General Data Protection Regulation (GDPR).

    It includes a new self-certification regime and applies to any business that handles personal information of European residents, even if it has no physical presence on the continent. As more companies become aware of this framework, it has the potential to help create more consistent legal requirements for cross-border data transfers. We expect that more and more organizations who have already invested in compliance with Privacy Shield will be eager to adopt it.

    Tag(s): Compliance

    Brendon Ainsworth

    Learner, Researcher, Customer-focused, and the Chief Revenue Officer & VP of Sales for Sharetru. Brendon has successfully navigated multiple industries and has infrastructure certifications in GCP and AWS. He started his career in Oil & Gas business development and successfully transitioned to Rackspace as a Mid to...

    Other posts you might be interested in

    View All Posts