The Trans-Atlantic Data Privacy Framework (DPF) is an agreement that helps US and EU companies work together to address the differences in legal requirements for data protection in both regions. By self-certifying that they have met the standards set forth by this framework, organizations can demonstrate compliance with European Union (EU) laws on personal data privacy and other trade regulations.
The EU General Data Protection Regulation (GDPR) is a regulation that replaced the Data Protection Directive. It was enacted in May 2018, and it's a set of rules that govern how companies handle personal data. However, with the arrival of GDPR and other similar data privacy and protection laws in Europe, the United States and the EU have now created a framework to enable continued data transfers across borders.
In March of 2022, the U.S. and EU reached a new political agreement for data protection. The Trans-Atlantic Data Privacy Framework (TADPF) is a legal framework for data transfers that helps businesses comply with both EU and US data privacy laws. It also creates consistency in requirements for data transfers between the EU and the United States. The framework reflects the US commitment to protecting individuals’ privacy rights and provides an efficient means for companies to comply with both US and EU data privacy laws.
The TADPF is meant to supplement existing agreements like Privacy Shield. Privacy Shield created a self-certification structure enabling companies to participate in cross-border transfers of data while upholding a set of standards and protections that are in line with EU law.
This framework was put in place because there was concern that existing measures were not sufficient to deal with the unique nature of transatlantic data flows and their implications for privacy protection.
This framework is not mandatory, but many companies with EU operations or customers may find that they benefit from complying with it.
Aside from organizations involved in US-EU trade, there are two main routes to TADPF compliance:
Organizations wishing to comply with the TADPF will need to do so by self-certifying, but no current program requires organizations to undergo additional certification beyond existing frameworks, such as Code of Conducts. The TADPF outlines a number of requirements for organizations that wish to comply with the framework. These include:
For example, an organization that is already participating in Privacy Shield or has its own Data Protection Agreement with a data protection authority (DPA) can participate in the TADPF without needing any additional certification from either the European Commission or another supervisory authority.
The Data Protection Framework is one of the biggest steps forward for data protection in Europe. It requires companies that handle sensitive information to comply with strict standards for handling such data—including transparency about how they collect and use it, security safeguards (such as encryption), only storing what is required, taking action if there are breaches related to third parties etc.— while also giving them an opportunity to demonstrate their compliance through self-certification under the EU's General Data Protection Regulation (GDPR).
It includes a new self-certification regime and applies to any business that handles personal information of European residents, even if it has no physical presence on the continent. As more companies become aware of this framework, it has the potential to help create more consistent legal requirements for cross-border data transfers. We expect that more and more organizations who have already invested in compliance with Privacy Shield will be eager to adopt it.
Learner, Researcher, Customer-focused, and the Chief Revenue Officer & VP of Sales for Sharetru. Brendon has successfully navigated multiple industries and has infrastructure certifications in GCP and AWS. He started his career in Oil & Gas business development and successfully transitioned to Rackspace as a Mid to...