Europe, USA to set-up Trans-Atlantic Data Privacy Framework: What this signifies

The European Commission (EC) and the United States of America (US) have jointly agreed on a new data transfer and privacy policy, called the Trans-Atlantic Data Privacy Framework. The move comes after a pre-existing US-European Union (EU) Privacy Shield – which laid down norms for transferring of personal data belonging to US and European citizens, as well as their use by law enforcement and related authorities on either side – was struck down back in July 2020 by the European Court of Justice.

In a joint statement issued on Friday, 25 March, the US and EC stated that the upcoming policy will “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” Based on its initial description, the Trans-Atlantic Data Privacy Framework will bring closer regulations on how personal data linked to European citizens are processed and used on American soil, in turn seeking to reduce unregulated data access for surveillance tasks.

The body further said that the new policy will “establish a two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.”

In April 2021, a CNBC report had stated that both EU and US were hosting negotiations in order to bring the data sharing, localisation and privacy policy into existence. The US-EU joint statement in this regard does not share a timeline for when the exact postulates of the policy will come into order.

A fact sheet for the Framework states that a Data Protection Review Court would be set-up by the American authorities, which will have independent power to take decisions on any grievances related to data sharing and privacy raised by European authorities. It is also expected to enable “continued data flows underpinning EUR 900 billion in cross-border commerce every year.”

Data sharing regulations in India

In India, the upcoming data privacy bill is expected to lay down regulations regarding cross-border data transfers, as well as localisation of personal data belonging to Indian users. The Bill has raised concerns for businesses that work with international technologies and services.

In January 2022, Ashish Aggarwal, head of public policy at Nasscom, said at a Medianama forum, “If you’re imagining a future where Indian SaaS (software as a service) companies, Indian startups are going to be global unicorns, then those very companies will face a problem with this law because then they want to optimize things and they want to be near to customers in terms of what they are offering as services and solutions. Then this very law will come and bite them right because it will require them to segment the way they architect their data and solution.”

Other industry stakeholders have further underlined how restrictions to data sharing across borders could hamper global services – offered by companies such as Google, Amazon, Facebook etc.

Big Tech companies have been lobbying for more fluid cross-border data transfer policies around the world. In October 2020, Google reportedly told a Joint Parliamentary Committee on the data protection bill that India should avoid data localisation requirements in a bid to keep business flows smooth and operational.

Google, on this note, has acknowledged the US-EU Trans-Atlantic Data Privacy Framework. Yesterday, Karan Bhatia, vice-president of government affairs and public policy at Google, said, “People want to be able to use digital services from anywhere in the world and know that their privacy is respected, and their information safe and protected. This agreement acknowledges that reality: it commits the parties to a high standard of data protection while establishing a reliable and durable foundation for the future of internet services on both sides of the Atlantic.”

He further added that such policies “serve as a floor, not a ceiling” towards allowing Google to operate beyond USA.