In this article
EU-US Transfers: The Trans-Atlantic Data Privacy Framework (‘TADPF’)
The Trans-Atlantic Data Privacy Framework is the EU-US data flow agreement "in principle" announced in April, 2022 which replaces the invalidated Privacy Shield Framework.
What is the Trans-Atlantic Data Privacy Framework?
The Trans-Atlantic Data Privacy Framework (‘TADPF’) aims to provide a transfer mechanism between the EU and the US while addressing the concerns raised by the Court of Justice of the European Union in July 2020 regarding the expansive data collection activities of US intelligence agencies and the lack of judicial remedies under US laws for EU data subjects whose personal data is collected by these agencies.
The following are key principles of the TADPF set out by the European Commission and the US Government:
- Based on the new framework, personal data will be able to flow freely and safely between the EU and participating US organisations;
- A new set of rules and binding safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
- US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberty standards;
- A new two-tier redress system to investigate and resolve complaints of Europeans on access to data by US Intelligence authorities, which includes a Data Protection Review Court;
- Strong obligations for companies processing personal data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the Principles through the US Department of Commerce; and
- Enhancements to the existing rigorous and layered oversight of signals intelligence activities.
The EDPB adopted a statement on the announcement: “The EDPB welcomes the commitments made by the US to take ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (‘EEA’) when their data is transferred to the US is a positive first step in the right direction”.
However, the EDPB stated that this announcement does not constitute a legal framework on the basis of which an EEA Data Exporter can transfer data to the US, hence the Data Exporter must continue to take the necessary actions to comply with Schrems II.
The EDPB outlined the steps that will take place once the relevant documents are received: “(…) will analyse whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. In addition, the EDPB will examine how the announced independent redress mechanism respects EEA individuals’ right to an effective remedy and to a fair trial.
More specifically, the EDPB will look into whether any new authority as part of this mechanism has access to relevant information, including personal data, when exercising its mission and whether it can adopt decisions binding on the intelligence services. The EDPB will also consider whether there is a judicial remedy against this authority’s decisions or inaction”.
What do organisations need to do?
As the TADPF has not been legally enforced, organisations are still required to comply with current EU data transfer requirements.
Organisations must ensure that they are transferring data legally using standard contractual clauses (SCCs), binding corporate rules (BCRs), or the derogations under the Article 49 of the GDPR to transfer EU data to the US until the TADPF is operational. Furthermore, new SCCs set out by the EDPB must be in place before the 27 December 2022 deadline.
Organisations must also conduct a transfer impact assessment (TIA) to assess their transfers and follow the related guidance set out by the EDPB.
Currently, it is unclear whether the TADPF covers onward transfers of personal data to other third countries. Therefore, it is advisable to use SCCs and conduct a TIA for such onward transfers. Organisations should consider retaining the technical, contractual, and organisational supplementary measures they have in place in the event that the TADPF is invalidated by a CJEU decision.
Organisations still need to be prepared to implement the new SCCs before December 2022 and ensure that all existing and new contracts are updated.
The agreement in principle will now be translated into legal documents. The US commitments will be included in an Executive Order that will form the basis of a draft adequacy decision by the Commission to put the new TADPF in place.
The European Commissioner clarified in a Press Conference in April 2022 that the legislative process can take at least six months.
USA: Algorithmic Accountability Act of 2022 introduced to House of Representatives
House Resolution ('HR') 6580 for the Algorithmic Accountability Act of 2022 was introduced, on 3 February 2022, in the U.S. House of Representatives. In particular, the Act's goal is to enhance transparency and fairness of automated decisions affecting U.S. citizens, such as access to college or obtaining bank loans. Moreover, the Act would require both the company that makes the decisions and the company that builds the technology enabling these processes to conduct impact assessments for bias, effectiveness, and other factors. The Act would apply to persons, partnerships or corporations over which the Federal Trade Commission ('FTC') has jurisdiction.
In addition, the Bill would:
- Provide the baseline requirement that companies assess the impacts of automating critical decision-making, including decision processes that have already been automated;
- Require the FTC to create regulations providing structured Guidelines for assessment and reporting;
- Require the reporting of select impact-assessment documentation to the FTC; and
- Require the FTC to publish an annual anonymised aggregate report on trends and to establish a repository of information where consumers and advocates can review which critical decisions have been automated by companies.
The Act is in the very early stages of the legislative process, however, this Act will target technology companies and it proves that regulators are focusing more and more on Artificial Intelligence (‘AI’). Companies that rely on automated decision making need to start looking at the methodology to be followed to correctly assess its algorithms.
CALIFORNIA: Bill for Age-Appropriate Design Code Introduced in State Assembly
California lawmakers are proposing a new law to protect Californian children when online. It is the most sweeping privacy measure since voters approved the California Privacy Rights Act in 2020. The proposal is modelled on the UK’s Age Appropriate Design Code, which requires online service providers to adjust their design and operations to improve children’s privacy and safety.
The Californian law would further increase the protections that children have online. The proposed Bill contains provisions for children's data protection and limits to online exposure for minors under age 18 such as switching off geolocation for children, discontinuing "nudging" techniques that trick children into giving up their information, reducing exposure to harmful content and limiting the potential for risky connections with adults.
The law would be enforced by the California Privacy Protection Agency and it would oversee the establishment of the California Children’s Data Protection Taskforce, which will "evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified”.
US Senate passes omnibus Cybersecurity Bill
The US Senate passed the Strengthening American Cybersecurity Act, a package of bills presented to enhance US cybersecurity. The legislation requires companies involved in critical infrastructure, including energy and healthcare, to report cyberattacks and ransomware payments. A 72-hour breach reporting requirement is also included. The Bill has moved to the US House for further consideration.
The package updates current federal government cybersecurity laws to improve coordination between federal agencies, to require the federal government to take a risk-based approach to cybersecurity, to require civilian agencies to report all cyberattacks to the Cybersecurity and Infrastructure Security Agency (“CISA”) and update the threshold for agencies to report cyber incidents to Congress.
The Bill also provides additional authorities to CISA to ensure that it is the lead federal agency in charge of responding to cyber incidents on federal civilian networks. The measure follows questions from some lawmakers in 2021 who cited growing bureaucracy and complicated jurisdictional boundaries among federal cybersecurity officials.
The three-part bill also authorises the Federal Risk and Authorization Management Program, known as FedRAMP, for five years. This would ensure that federal agencies are able to quickly and securely adopt cloud-based technologies that improve government efficiencies and save taxpayer money.
The provisions have taken on new urgency as lawmakers and US businesses worry about Russian cyberattacks in response to sanctions imposed for the Ukrainian invasion.
The Bill was approved by the Senate on 11 March 2022.
USA: Discussion Draft Federal Privacy Bill Released
The Bill, which is the first comprehensive federal privacy Bill to gain bipartisan and bicameral support, aims to:
- Grant individuals broad protections against the discriminatory use of their data;
- Require covered entities to minimise on the collection, processing, use, and transfer for individuals' data to what is reasonably necessary, proportionate, and limited for specific products and services;
- Require covered entities to comply with other obligations while not compromising on privacy requirements;
- Allow individuals to stop targeted advertisements; and
- Provide enhanced data protections for children and minors.
The Bill refers to 'covered entities', which means:
- Any entity or person that collects, processes, or transfers covered data that is Subject to the Federal Trade Commission Act of 1914; and A common carrier subject to title II of the Communications Act of 1934 as currently enacted or subsequently amended; or
- An organisation not organised to carry on business for their own profit or that of their members;
- Includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity; and
- In addition, the Bill addresses a subset of covered entities defined as 'large data holders' who would be subject to additional obligations.
The Bill includes provisions on the duty of loyalty, including in relation to data minimisation, outlining that a covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to certain circumstances. Regarding Privacy by Design, the Bill outlines an express duty to establish and implement reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data.
India Personal Data Protection Bill raises concerns
On 1 March 2022, the Information Technology Industry Council ('ITI') announced, that it had led a coalition of global technology and business associations to issue a letter to the Government of India in relation to concerns over the Personal Data Protection Bill 2019. In particular, the ITI noted that while it welcomes the Government's commitment to data protection, it cautions against the Bill's potential negative impact on India's innovation ecosystem and digital economy.
In its letter, the ITI indicated that the recommendations put forward by the Joint Parliamentary Committee in December 2021 run counter to global standards for data protection and competition. More specifically, the ITI highlighted that the regulation of non-personal data is premised on data sharing in the interest of transparency and openness, which requires a distinct set of considerations and approaches from governing personal data.
Furthermore, the ITI expressed that data localisation requirements will also degrade privacy and cybersecurity protections by limiting the use of solutions that are globally available. As such, the ITI stated that if these recommendations are enacted, it would deteriorate India's business environment and the ease of doing business in and with India.
In this regard, the ITI has requested the Ministry of Electronics and Information Technology ('MeitY') to launch additional stakeholder consultations before introducing the Bill in Parliament.
The Indian government is considering a complete re-draft of the Bill to ensure that it is aligned with the current times. As a result, organisations will have to wait for further developments. It is critical to keep informed of any updates to this law before the current bill passes or a new bill emerges. Organisations based in India, those located in other countries that process personal data of Indian residents, or those that anticipate cross-border transfers involving India should monitor the updates in relation to the pending Bill closely.
Recent Global Updates
In March 2021, a Bill to provide for the regulation of processing of personal data (‘the PDP Bill’) was released. Sri Lanka’s personal data protection bill moves forward. In March 2022, Sri Lanka became the First South Asian Country to Pass Comprehensive Privacy Legislation.
The Federal Cabinet of Pakistan has approved the draft of the Personal Data Protection Bill 2021. The Bill must go through a series of steps to debate and make amendments before adoption.
Governor Signs Act concerning Personal Data Privacy and Online Monitoring. The CTDPA, which will enter into effect on 1 July 2023, includes various rights for consumers and controller and processor responsibilities.
In March 2022, the Consumer Privacy Act (‘UCPA’) was enacted. The law sets out responsibilities for controllers and processors who conducts business in the state or produce a product or service that is targeted to consumers who are residents of the state. It also establishes new rights for consumers, such as the right of access, deletion, portability, and the right to opt out of targeted advertising or the sale of personal data. The UCPA will enter into effect on 31 December 2023.
Singapore’s PDPC published Guidance on Basic Anonymisation to provide more practical guidance for businesses on how to appropriately perform basic anonymisation and de-identification of various datasets through a simple 5-step anonymisation process.
The Office of the Australian Information Commissioner (‘OAIC’) is urging organisations to put accountability at the centre of their information handling practices, as the Australian Notifiable Breach scheme enters its fourth year.
Thailand’s first ever law on personal data protection will come into force on 1 June 2022.
Get in touch
If you have any queries on the topics covered in this issue of Data Privacy Matters, please contact Tom Hyland of our Risk Consulting practice. We'd be delighted to hear from you.