*Article originally posted on Law.com authored by Cassandre Coyer at LegalTech News.*
This summer marked a key development in the history of data transfers between the U.S. and European Union when the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework after two prior invalidated agreements.
But whether that milestone is translating to a wave of companies registering to get certified under the new framework is less apparent.
Given the looming possibility of a Schrems III lawsuit from privacy advocate Max Schrems, an aggressive Federal Trade Commission and customersâ ongoing demand for standard contractual clauses, companies should weigh the costs and benefits of getting certified.
Below, data privacy attorneys highlighted some of the key considerations at play on both sides of the argument during an EU-U.S. Data Privacy Framework webinar from law firm Baker McKenzie on Thursday.
The Pros: âConvenient and Easyâ Solution
Despite some uncertainties around the longevity of the DPF, Brian Hengesbaugh, chair of Baker McKenzieâs global data privacy and security business unit, noted that he expects more companies to certify with the framework than with its predecessor, the Privacy Shield, because it is in a stronger position to withstand legal challenges.
âI think the irony of all of this back-and-forth is that I think weâre at a spot now where you could say the Data Privacy Framework is slightly stronger from a legal perspective than the use of standard contractual clauses or even binding corporate rules,â he explained.
Of course, there are other mechanisms available that allow data transfers outside of the European economic area. Binding corporate rules and standard contractual clauses are still strong alternatives, though they require companies to complete transfer impact assessments. The DPF has no such requirement.
âHaving an adequacy decision means you donât need to do a transfer impact assessment. You donât need supplementary measures to make your transfer valid. In a way if you have an adequacy decision, itâs like an intra-EU transfer. So you need to comply with GDPR but itâs like an internal EU transfer,â Elisabeth Dehareng, a partner in Baker McKenzieâs information technology and communications group in the firmâs Brussels office, said.
She added, âItâs very difficult to do a transfer impact assessment that is completely right.â
Of course, with transatlantic data transfers there are derogations available for specific situations such as when explicit consent is obtained or if the transfer is necessary for the conclusion of a contract. But building a meaningful privacy program around the reliance on derogations can be tricky, Hengesbaugh noted, because these derogations tend to be narrowly interpreted.
Overall, the DPF provides a âconvenient and easy solutionâ for companies, whether theyâve already certified to the Privacy Shield or not, Cristina Messerschmidt, a Chicago-based associate in Baker McKenzieâs privacy and security practice group, said. In fact, she noted that for organizations with a modern privacy program in place, many of the principles listed in the DPF likely overlap with policies they already have.
The Cons: âHow Long [Is This] Going to Standâ?
Still, while data privacy attorneys see the DPF as the safest approach for a majority of companies, they also pointed to some of the risks that may come with certifying under the new framework.
For one, U.S. organizations that are planning to certify would be subject to stringent redress mechanisms and under the scrutiny of a FTC ready to enforce its powers.
âIf you register with DPF, you have to be ready that there is [FTC] enforcement authority now over you with respect to compliance with the DPF which is not applicable if youâre using BCRs or SCCs,â Hengesbaugh said. He added, âI think itâs fair to say the [FTC] is pretty aggressive these days about what theyâre doing on enforcement.â
Whatâs more, the decision to certify under the DPF doesnât always mean that companies wonât have to rely on SCCs anymore.
âIt is very likely that you will also have to enter into standard contractual clauses, again depending ⌠on your customer population, depending on what your vendors ⌠are willing to sign up to, are willing to accept,â Messerschmidt explained.
And of course, itâs hard to ignore the fact that privacy advocates have already raised concerns about the new framework.
Schrems, the chair of NOYB, told Law.com International in July that the organization would likely challenge the new agreement before the Court of Justice of the European Union soon.
âSo the question of how much and how long this is going to stand is certainly an open question notwithstanding the fact that right now it is still ⌠the most certain transfer mechanism for transfers of data to the U.S.,â Messerschmidt said.