“TADPF.” Though it’s not the smoothest acronym, it is a significant development for the privacy community. The TADPF or Trans-Atlantic Data Privacy Framework is the EU-U.S. data flow agreement "in principle" announced last week.
In Europe, it was seen widely — although not unanimously — as a positive development by many privacy pros out there looking for legal certainty, as they consistently rate compliance with cross-border personal data transfer requirements as their most difficult task. Others, like the European Data Protection Supervisor, welcomed with pragmatic reserve a political deal, the details of which must be formally approved by EU Member States before it enters into force.
Others expressed varying degrees of skepticism and predictions about whether this agreement will lead to a “Schrems III” ruling. But the reality is that the framework text is not yet public and no analysis at this stage can knowledgeably opine on whether the new arrangement would satisfy the requirements laid down in the Court of Justice of the EU’s “Schrems II” decision.
Elsewhere:
- EU-US Consumer Dialogue. The TADPF news somewhat overshadowed another trans-Atlantic announcement by Didier Reynders, EU Commissioner for Justice, and Lina Khan, Chair of the U.S. Federal Trade Commission. They are “reinvigorating (the informal dialogue) on consumer issues, especially the impact of technological developments, to maximize the mutual benefits of policy and regulatory cooperation.” On top of the list are commercial dark patterns; digital business models that rely on AI; and protection of certain consumer groups, including children and underserved populations, that may be targeted or disproportionately harmed by social media and online marketing techniques.
- DMA and privacy. EU co-legislators announced an agreement on the Digital Markets Act last Friday. Once formally adopted, the DMA will be directly applicable across the EU and will apply six months after entry into force. This flagship legislative proposal, while largely a competition tool with a internal market legal basis, is relevant for privacy pros. As IAPP Country Leader for France Yann Padova puts it, “the instrument of power” of large platforms acting as “gatekeepers” comes from the massive collection of personal data which allows them to extend their activities to a multitude of sectors. The DMA creates new obligations, not all privacy focused, but some — including targeted advertising and data portability — have a privacy component. Some of them may even raise questions of compatibility with the EU General Data Protection Regulation.
- DSA. The Digital Services Act is still under negotiation with another round of talks this week. For background, the DSA aims to regulate the obligations of digital services that act as intermediaries in their role of connecting consumers with goods, services and content. The European Parliament rapporteur MEP Christel Schaldemose is confident that a deal could be reached as early as the end of April. However, significant areas still need to be ironed out among EU co-legislators, including the scope of the interdiction of dark patterns, specific requirements pertaining to minors and the supervision of very large platforms.
- Pseudonymization/health data. ENISA, the EU’s executive agency for cybersecurity, released a report that explores how pseudonymization techniques can help increase the protection of health data. TL;DR? Check out this helpful summary by IAPP Senior Fellow Katharina Koerner.
More information to come as we unpack all this for you.
Photo by Yannis Papanastasopoulos on Unsplash