Written by Paul Mountford, Chief Executive Officer, Protegrity
Transatlantic data flows underpin more than $7 trillion in cross-border trade and investment per year, according to the U.S. Department of Commerce. The recently announced EU-US Data Privacy Framework (TADPF), in place as of 10th July 2023, is expected to further promote opportunity and economic fruitfulness on both sides of the Atlantic.
However, many are rightfully questioning the staying power of this latest version of the TADPF. Will it be third-time lucky or Groundhog Day all over again? Against this backdrop of uncertainty, many companies must evaluate their short- and long-term regulatory resilience.
For those less familiar, TADPF is a legal framework for data transfers that helps businesses comply with both EU and US data privacy laws. The TADPF is the successor to the Privacy Shield and Safe Harbor agreements and offers a legal basis for securely transferring data from the EU to the US. The TADPF is intended to limit access by US intelligence services and guarantee the protection of EU citizens’ personal data.
The TADPF is similar in substance to the Privacy Shield agreement that Schrems II[i] nullified. According to Gartner, this new framework will only last 2-5 years; in fact, this third attempt to get a stable agreement on EU-US data transfers will likely be back at the Court of Justice (CJEU) before the end of the year. Shrems has already announced further legal challenges, and a plethora of other privacy groups and activists will likely follow. As a result, it may be a just matter of months before a filing against the first companies to execute a transfer under this framework is made.
For businesses it is clear – a decision to solely rely on the new framework for transatlantic data flows, given the TADPF’s expected shelf life and the challenges it faces, leaves a high level of uncertainty, instability and risk.
Growing regulatory requirements
Today data borders and regulations are being constantly strengthened in a drive to protect customer privacy and fight global cybercrime. These good intentions, however, are evolving into what could fairly be called data nationalism. As the regulatory landscape for privacy becomes increasingly volatile and fragmented, business risk – being out of compliance and subject to significant penalties – grows accordingly, absent regulatory resilience.
For the C-suite this presents a significant challenge. By law, cyber-risk is a board-level conversation because company performance in this area will impact shareholder value, customer confidence, and risk profile. Equally, an inability to demonstrate privacy compliance creates short-term investment challenges including higher insurance premiums, cash reserves requirements for penalties, and higher costs of compliance. In the long term, it impacts revenue and growth as companies are forced to pay higher costs to participate, or even exit markets entirely.
For data and technology leaders, today’s challenge is to comply with local regulations while respecting customer expectations and managing complex global supply chains. But localisation of data is a problem that must be solved. To meet these macro and micro-economic challenges, organisations should look for borderless data systems that enable global business operations, ensure compliance and also meet local demands.
Adapting to privacy laws around the world
GDPR has given rise to new privacy laws around the world, and subsequently the United Nations Conference on Trade and Development (UNCTAD) reports that 71% of countries have data protection regulations in place and 9% have legislation in development (https://unctad.org/page/data-protection-and-privacy-legislation-worldwide).
This is creating pressure with real-world consequences for global businesses. We only need to look at the recent issues faced by Meta, the parent company of Facebook, WhatsApp and Instagram. In May 2023, Meta was fined a heart-stopping €1.2 billion ($1.3 billion) by EU regulators for breaching data protection law when handling EU citizens’ data via its Facebook service.
Meta was fined because they relied on Standard Contractual Clauses to achieve compliance for moving EU citizen data to the US for processing. However, regulators have now said SCCs are not compliant with the GDPR, meaning that their current toolset commonly used by multinationals will no longer solve the data localisation challenge. Furthermore, privacy will only continue to evolve, becoming more complicated tomorrow than it is today.
Pseudonymisation is the solution
Pseudonymisation is an effective way to comply with the EU’s GDPR demands for secure data storage of personal information. Recently the EU Court of Justice ruled that pseudonymised data transmitted to a data recipient is not considered personal data if the recipient does not have the means to re-identify the data subject. Therefore, pseudonymisation is a foundational technique to mitigate data protection risks. It plays a valuable role in helping organisations to address the challenges of data protection, security and privacy.
Pseudonymisation is now accepted by legal bodies as a method for protecting PII data and provides companies with the regulatory resilience they need to underpin compliance.
Regulatory resilience creates competitive advantage
When done right, data privacy delivers not just compliance, but also competitive advantage. Without a doubt, businesses that can accelerate the free flow of data and the adoption of new technologies will be market disruptors. They will innovate faster, enter new markets and nimbly deliver new sources of revenue.
Ultimately, borderless data accelerates business by de-risking the data that drives sustainability, profitability, and growth, connecting and creating new value for organizations, partner ecosystems, and the entire supply chain.
[i] Schrems II is a ruling from the Court of Justice of the European Union (CJEU) which found that the EU-US Privacy Shield framework is an insufficient mechanism to ensure compliance with EU data protection requirements.