“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.” – Steve Jobs
We frequently connect a new year with renewed hope and optimism. While this is excellent, we must remember that each passing day presents new risks as a result of the ever-changing landscape of technology, methods, and operations. As long as technology is in motion, compliance strategies will follow suit. Security, after all, is a voyage, not a destination.
Cybersecurity has grown rapidly as a domain because of cyberattacks becoming more advanced over time. Governments all across the world are attempting to clamp down on these threats and remain ahead of the game. This trend is likely to continue going forward. Some of these changes are significant, while others are little, but all will have an influence. For instance, let’s focus on a major event that will have critical implications going forward – The Trans-Atlantic Data Privacy (TADP) framework.
In the most basic sense, it is a data privacy agreement between the United States and Europe. The context is that an Austrian activist called Maximilian Schrems, a law student, objected to Facebook transferring his personal data to the US. As a result, he brought Facebook to European court. The first of these activities resulted in the genesis of privacy shield. This was a set of protections provided by the United States concerning the treatment of personal data. Schrems disagreed and went back to the court with Facebook. In July 2020, the judgment called Schrems 2 invalidated the privacy shield. This meant that the European resident’s data residing in any form in the US was not treated in a way that would guarantee compliance with GDPR.
The United States of America and Europe are each other's most important business partners for digitally driven services, according to the US Bureau of Economic Analysis. In 2020, US-EU trade with regards to information and communications technology (ICT) services and possibly ICT-enabled services was valued at more than $264billion.
Trans-Atlantic data flows account for more than 50% of all data flows in Europe and around 50% of all data flows in the United States. People can use such data flows to send information for online communication, follow global supply chains, exchange research, give cross-border services, and assist technical innovation, among other things.
The European Data Protection Board investigated the issues related to privacy shields and issued a preliminary set of recommendations in November 2020. This paper made a critical argument about how legal measures were insufficient. Organizations were to adopt "Supplementary technical measures" to ensure data protection. This essentially meant that it was the organization's responsibility to regulate how effectively the data is safeguarded based on the activities performed on the data. This suggests that the line between organizations that seek to execute operations on data and those that use data for their operations was blurred.
In January 2022, a draft was made by the European data protection board to discuss a way in which organizations in Europe can protect data, for example, residing in a cloud-based in the US. The United States and the European Union (EU) confirmed a political agreement in March 2022 on a new Trans-Atlantic Data Privacy framework to protect commercial cross-border data transfers. To address EU apprehensions about US surveillance methods, the new framework would strengthen safeguards and restrictions on US signals intelligence operations, create a new redress methodology with independent and legally enforceable authority (the Data Protection Review Court), and add oversight guidelines for signals intelligence operations.
The following outcomes are expected to unwind as a result:
- Data will be allowed to travel freely and securely between the EU and participating US corporations under the new system
- A fresh set of regulations and legally binding checks and balances to limit the U.S. intelligence agencies' exposure to data to what is reasonably related and relevant to protect national security
- U.S. intelligence bodies will implement rules to ensure better supervision of new privacy and civil liberties norms
- A new two-tier grievance handling system, including a Data Protection Review Court, to scrutinize and fix Europeans' complaints about data access
- Strict requirements for firms processing transmitted data from the EU, including the necessity to self-certify their compliance to the principles via the US Department of Commerce.
Apart from the new framework, American companies have few choices for cross-border data transfers with the EU. These include:
- Develop binding corporate rules (BCRs) that EU officials must approve for each firm.
- Implement revised EU-sanctioned standard contractual clauses (SCC) and review sufficient safeguards in light of the European court of justice decision.
- Employ commercial cloud services supplied by major technology companies that use certified BCRs or updated SCCs (for example, Microsoft, IBM).
- Some stakeholders favor storing EU individuals' personal data solely in the EU or another permitted nation, but others see this as potentially costly data localization trade obstacles.
- Obtaining authorization from individuals for each and every processing of personal data which is likely to be a logistically difficult and costly option for most businesses.
- Leave or restrict involvement in the EU market.
- Other options would be for the EU to develop GDPR-compliant standards of conduct or certifications, which firms might apply for. These projects might be focused on the US-EU relationship or on a larger, global scale.
Some methods that are a part of multiple discussions include:
- Double key encryption- Can only be seen by organizations when the processing of personal data is done in the EU, no matter wherever it is stored globally.
- Protected enclaves – Processor chips built-in with verified capabilities that ensure decrypted data resides in a safeguarded enclave claimed to be inaccessible by hackers.
- Pseudonymization – A kind of encryption technology where processed data can be used by AI and machine learning to do training and analysis.
- Multi-party computing- sharing without divulging all of data.
- Homomorphic encryption which is highly computational in nature (approx. 40 times stronger than normal encryption) etc..
Some of the benefits expected to come out of this agreement and implementing the security measures include:
- Sufficient protection of Europeans' data transmitted to the US, in accordance with the European Court of Justice's judgment (Schrems II).
- Data transfers that are safe and secure.
- Long-lasting and dependable legal foundation.
- Strengthening of the digital economy and economic collaboration.
- Ongoing data transfers will support €900 billion in cross-border business each year.
The principal plaintiff in Schrems II, Max Schrems, released an official statement via his non-profit group, noyb ("None of Your Business"). Schrems remarked that the unveiling was only "a political declaration," and that the TADP framework may be months away from execution until there was a final language to approve and execute it. Furthermore, Schrems stated that he would rigorously analyze the language whenever it is released and is "likely to contest" it if it was found to be in violation of EU law. “Noyb” predicted that this could create "legal ambiguity for the foreseeable future."
Regardless, this measure may be viewed as both a practical and legal step forward in protecting data privacy. This type of agreement might be viewed as a catalyst for putting the greater emphasis where it is due, particularly, on data protection in all jurisdictions. When discussing data sovereignty, it is also crucial to discuss technological sovereignty. Services and technology are also imported in EU from beyond the EU. There is a lot more under this iceberg and only time will tell how one decision unfurls consequences in related domains.
