*Article originally posted on Law.com authored by Cassandre Coyer at LegalTech News.*
This summer marked a key development in the history of data transfers between the U.S. and European Union when the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework after two prior invalidated agreements.
But whether that milestone is translating to a wave of companies registering to get certified under the new framework is less apparent.
Given the looming possibility of a Schrems III lawsuit from privacy advocate Max Schrems, an aggressive Federal Trade Commission and customers’ ongoing demand for standard contractual clauses, companies should weigh the costs and benefits of getting certified.
Below, data privacy attorneys highlighted some of the key considerations at play on both sides of the argument during an EU-U.S. Data Privacy Framework webinar from law firm Baker McKenzie on Thursday.
The Pros: ‘Convenient and Easy’ Solution
Despite some uncertainties around the longevity of the DPF, Brian Hengesbaugh, chair of Baker McKenzie’s global data privacy and security business unit, noted that he expects more companies to certify with the framework than with its predecessor, the Privacy Shield, because it is in a stronger position to withstand legal challenges.
“I think the irony of all of this back-and-forth is that I think we’re at a spot now where you could say the Data Privacy Framework is slightly stronger from a legal perspective than the use of standard contractual clauses or even binding corporate rules,” he explained.
Of course, there are other mechanisms available that allow data transfers outside of the European economic area. Binding corporate rules and standard contractual clauses are still strong alternatives, though they require companies to complete transfer impact assessments. The DPF has no such requirement.
“Having an adequacy decision means you don’t need to do a transfer impact assessment. You don’t need supplementary measures to make your transfer valid. In a way if you have an adequacy decision, it’s like an intra-EU transfer. So you need to comply with GDPR but it’s like an internal EU transfer,” Elisabeth Dehareng, a partner in Baker McKenzie’s information technology and communications group in the firm’s Brussels office, said.
She added, “It’s very difficult to do a transfer impact assessment that is completely right.”
Of course, with transatlantic data transfers there are derogations available for specific situations such as when explicit consent is obtained or if the transfer is necessary for the conclusion of a contract. But building a meaningful privacy program around the reliance on derogations can be tricky, Hengesbaugh noted, because these derogations tend to be narrowly interpreted.
Overall, the DPF provides a “convenient and easy solution” for companies, whether they’ve already certified to the Privacy Shield or not, Cristina Messerschmidt, a Chicago-based associate in Baker McKenzie’s privacy and security practice group, said. In fact, she noted that for organizations with a modern privacy program in place, many of the principles listed in the DPF likely overlap with policies they already have.
The Cons: ‘How Long [Is This] Going to Stand’?
Still, while data privacy attorneys see the DPF as the safest approach for a majority of companies, they also pointed to some of the risks that may come with certifying under the new framework.
For one, U.S. organizations that are planning to certify would be subject to stringent redress mechanisms and under the scrutiny of a FTC ready to enforce its powers.
“If you register with DPF, you have to be ready that there is [FTC] enforcement authority now over you with respect to compliance with the DPF which is not applicable if you’re using BCRs or SCCs,” Hengesbaugh said. He added, “I think it’s fair to say the [FTC] is pretty aggressive these days about what they’re doing on enforcement.”
What’s more, the decision to certify under the DPF doesn’t always mean that companies won’t have to rely on SCCs anymore.
“It is very likely that you will also have to enter into standard contractual clauses, again depending … on your customer population, depending on what your vendors … are willing to sign up to, are willing to accept,” Messerschmidt explained.
And of course, it’s hard to ignore the fact that privacy advocates have already raised concerns about the new framework.
Schrems, the chair of NOYB, told Law.com International in July that the organization would likely challenge the new agreement before the Court of Justice of the European Union soon.
“So the question of how much and how long this is going to stand is certainly an open question notwithstanding the fact that right now it is still … the most certain transfer mechanism for transfers of data to the U.S.,” Messerschmidt said.
