The truth about compliance and data privacy between the EU and U.S.

What is the ADPPA?

The ADPPA is the latest attempt to put together a bipartisan bill concerning data privacy in the U.S.

It’s been four years since the General Data Protection Regulation (GDPR) became the law of the land in the European Union. Of course, anyone who handles Personally Identifiable Information (PII) belonging to EU citizens must follow the regulation as well. So, GDPR compliance is really an ongoing global issue.

It’s a different story across the pond in America. There is currently no national law defining data privacy that protects U.S. citizens. Instead, some states have drafted their own local legislation. Most notably, the California Consumer Privacy Act (CCPA) protects people in that state in ways that are similar to GDPR.

As you might imagine, having a bunch of different rules at the state level makes data privacy complex and confusing. A federal law in the U.S. could simplify things for companies that collect, store, and process consumer data.

The big promise of the ADPPA is that it would clearly define individual privacy rights and the requirements for organizations around the world that process PII from U.S. citizens.

From an international perspective, however, this isn’t easy at all. Just look at some of the problems the U.S. and EU have been dealing with concerning how PII is protected when it’s sent across the Atlantic. The debacle surrounding the EU-US Privacy Shield framework is the perfect example. So, will a new framework help?

What is the Transatlantic Data Privacy Framework?

The Transatlantic Data Privacy (TDPA) Framework is a new legal agreement between the EU and U.S. that’s meant to replace what’s known as EU-US Privacy Shield. A replacement is needed because the Court of Justice of the European Union (CJEU) invalidated Privacy Shield in 2020. Thus, companies today do not have any specific framework in place for GDPR compliant EU-US transfers.

Privacy Shield was supposed to be a GDPR compliant solution for data sharing between the EU and U.S. But it didn’t work out that way.

The biggest problem with Privacy Shield is that it doesn’t have sufficient limits on when, how, and why U.S. intelligence agencies can access EU citizen data. National security laws in America give the government free rein to access whatever they want, and EU data privacy proponents don’t like that at all. If an EU company has data stored in U.S. data centers, the CIA, FBI, or even local law enforcement could request access to that, and there are limited legal grounds to deny it. The same goes for any U.S. company with EU customers and subscribers.

One particular activist has been at the center of all of this. His name is Max Schrems, and after GDPR became law, he filed complaints against big tech companies like Facebook, Google, and Apple. The lawsuit (known as Schrems II) eventually led to the invalidation of Privacy Shield.

So, the new TDPA Framework (sometimes called Privacy Shield 2.0) proposes some changes to the legal transfer mechanism, which are meant to make it more in line with the GDPR. The EU and U.S. announced their commitment to put in place an updated agreement back in March 2022. Here’s what the White House had to say in an official statement:

In other words, there’s a lot of money flowing across the Atlantic (not just data), and both sides want to keep doing business with each other.

What’s happening now?

Here’s where everything stands as of the publication of this article:

• The ADPPA passed a House committee and is moving on to a full vote in the House. This means Congress has approved considering the possibility of making it law. But it will still need to pass the House, the Senate, and get signed by President Biden.

• The TDPA Framework is agreed upon in principle and is being translated into legal documents, which will come as an Executive Order from President Joe Biden.

• The EU-US Privacy Shield Framework is still being used, but it’s not enough to ensure complete GDPR compliance.

When Privacy Shield was invalidated, there remained ways for companies to stay GDPR compliant. The EU called for Standard Contractual Clauses (SCCs) along with supplementary measures, where necessary. Basically, a SCC is a legal agreement between data controllers and data processors on either side of the Atlantic (or anywhere outside the EU) on how they will treat and process personal data. The supplementary measures are additional steps taken to protect the privacy of EU citizens and are in place to ensure that the companies follow these obligations.

You might assume that if the ADPPA becomes law and the TDPA Framework goes into effect, then all the concern and confusion will be over. But that’s not necessarily the case. Here’s our take on what’s happening next...

Problems with the TDPA Framework

While the Transatlantic Data Privacy Framework may alleviate some concerns regarding U.S. intelligence access, it’s still got some issues (don’t we all?).

For one thing, it’s accurately called “Privacy Shield 2.0”, because getting certified under the framework hasn’t changed much beyond the last version. Perhaps the biggest problem is that both frameworks involve a self-certification process.

Essentially, any U.S.-based company can go to the Privacy Shield website, fill out an application, submit some information from their privacy policy, and get certified. But that self-certification is no guarantee of GDPR compliance.

For example, a Federal Trade Commission (FTC) lawsuit alleges that, when self-certifying on the Privacy Shield website, Twitter misrepresented itself as in compliance with the agreement. More than 3,000 active self-certifications are on Privacy Shield’s list, and it’s hard to believe they’re all legitimate.

The bottom line here is that you shouldn’t rely on the TDPA Framework to ensure that you or any vendor you work with are GDPR compliant. Until it becomes law, the TDPA mechanism isn’t much more than a “handshake” between the EU and U.S.

Problems with the ADPPA

The American Data Privacy Protection Act contains some measures that privacy and civil rights advocates support. That includes anti-discrimination rules and stricter cybersecurity requirements. Make no mistake, having a comprehensive privacy law in the U.S. would be a good thing for nearly everyone, especially if it’s consistent with GDPR.

However, the problem is that there’s still a lot of uncertainty around this bill. A lot could happen between now and the time it passes (assuming it does). Lobbyists for big tech companies may want changes made, and mid-term elections may transform the balance of power in Congress.

Another problem is that the ADPPA preempts state privacy laws. Some political leaders and advocates don’t like that. They think a federal bill should provide a baseline for data privacy that states can enhance with their own rules.

The earliest we could expect passage of the ADPPA is near the end of 2022. And let’s be honest, we all know the U.S. Congress’s track record for passing laws fast and efficiently. If the bill does pass, organizations have another two years to get in line with the law (as was the case with the GDPR in 2016). That means the earliest a federal data privacy law would be in effect is in 2025. What are you going to do in the meantime?

Mailjet’s approach to data privacy legislation

At Sinch Mailjet, we don’t wait for privacy laws and international legal agreements to tell us how to handle data privacy protection. Instead, we take a proactive approach.

Mailjet is extremely serious about data privacy and GDPR compliance. In fact, we were the first company in the world to receive a GDPR certification from AFNOR. That was just weeks after GDPR became law. Plus, Mailjet was the first email service provider to achieve ISO 27001 certification, indicating we offer the highest level of data privacy and security in the industry. That was six months before GDPR.

Instead of waiting for changes to privacy laws, our stance is to anticipate them and take action – assuring our customers that their data is protected.

Mailjet and our sister company, Sinch Mailgun, will continue using SCCs with our customers, and we’ll regularly assess and address risks to data privacy and security. We can prove that we’re adhering to regulations and best practices because we pursue ISO certifications and undergo third-party audits that include GDPR controls.

But here’s the most important factor for EU and U.S. email marketers...

Mailjet got started in France and maintains a physical presence in Europe. So, we have data centers located in places like Germany and Belgium. Because of that, it’s easier to protect EU citizen data because it never has to cross the Atlantic in the first place.

On top of that, we follow the data minimization principle, where only limited and need-based roles are granted access to customer data. Adding yet another layer, we ensure privacy by design in our product and make sure to bake in supplemental organizational and technical measures in our IT systems.

Get more information on Mailjet and data privacy:

• View our Data Processing Agreement (DPA)

• Check out some FAQs on Mailjet security and privacy

• Read an article explaining data privacy and security at Mailjet

• Explore our GDPR Hub to learn more about data privacy regulations

Who can you trust?

In order for your organization to be GDPR compliant, you need to find third-party vendors and partners that understand and follow data privacy laws. That includes your email service provider.

At Sinch Mailjet, we take pride in being on the cutting edge of data privacy and security. That means we go above and beyond to protect our customers’ personal data as well as the private data of every subscriber on their lists.

If other companies tell you “Not to worry” because the new version of Privacy Shield and the ADPPA are going to make everything simple, don’t believe them.

When Mailjet tells you “Not to worry”, it’s because we have a firm grasp on data privacy laws and what needs to be done to remain in compliance with regulations like GDPR. So, if you’re trying to find an ESP that you can trust – look no further.