The ongoing struggle to establish a stable framework for EU-US data transfers has once again brought privacy concerns to the forefront. As the European Commission attempts to forge a new "Trans-Atlantic Data Privacy Framework," the failure to address fundamental issues surrounding US surveillance practices raises significant challenges for businesses operating across borders.

THIS ARTICLE IS WRITTEN BY CEM ADIYAMAN. CEM ([email protected]) HAS A STRONG FOCUS ON LAW, TECHNOLOGY AND HUMAN RIGHTS WITHIN RSM NETHERLANDS BUSINESS CONSULTING SERVICES. 

The General Data Protection Regulation (GDPR), implemented in 2018, sets stringent standards for data protection and privacy within the European Union. It prohibits the transfer of personal data outside the EU unless the destination country ensures an "essentially equivalent" level of protection. This requirement is vital for upholding the privacy rights of European citizens.

In the past, businesses relied on two European Commission decisions: "Safe Harbor" in 2000 and "Privacy Shield" in 2016, to facilitate EU-US data transfers. However, both frameworks were invalidated by the Court of Justice of the European Union (CJEU) due to concerns over US surveillance laws and the inadequate protection of personal data. The absence of a valid data transfer mechanism poses significant challenges for businesses operating on both sides of the Atlantic. Without a solid legal framework, companies face legal uncertainties, potentially violating the GDPR by transferring data to a jurisdiction that does not meet the required standards.

To navigate this complex landscape, businesses are forced to rely on alternative mechanisms such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) to ensure compliance with GDPR requirements. However, these mechanisms may not provide sufficient protection against US surveillance practices, leaving businesses in a precarious position.

The proposed "Trans-Atlantic Data Privacy Framework" appears to offer little change from its failed predecessors. The lack of concrete improvements to US surveillance laws and the absence of robust redress mechanisms raise concerns about the framework's effectiveness. This uncertainty impedes businesses' ability to plan and operate seamlessly across borders. In light of these challenges, businesses must prioritize data protection and privacy compliance. Conducting thorough assessments of data flows, exploring  (perhaps) alternative transfer mechanisms, and implementing technical safeguards become crucial steps to mitigate risks.

Furthermore, industry associations and businesses must engage in advocacy efforts to encourage the EU and the US to work towards a sustainable solution. Reforming US surveillance laws to align with GDPR standards is vital for establishing a legally compliant framework that respects privacy rights and enables the smooth flow of data.

Concluding remarks

The uncertain future of EU-US data transfers calls for collaboration and proactive measures. Businesses must, again,  adapt their strategies and remain vigilant as they navigate the complex landscape of transatlantic data transfers, ensuring compliance while safeguarding the privacy of individuals. On the one hand, we expect that this new framework will also be quickly struck down by the CJEU. Schrems has already indicated he sees major objections and will address them again to the CJEU as well. On the other hand, US companies will soon be able to legally transfer personal data again under this new framework.

Despite promises of change and efforts to rebuild trust from a human rights perspective, these recurring attempts have proven to be a mirage. The proposed framework merely perpetuates the failures of its predecessors, disregarding the urgent need for meaningful reform. It is evident that the political interests behind these agreements have taken precedence over safeguarding fundamental rights.