It’s been over a week since the European Union announced that it is granting the United States an adequacy decision in light of the new Data Privacy Framework (DPF), and Austrian privacy activist Max Schrems hasn’t filed a suit to invalidate that decision or attack the DPF directly. It’s time for U.S. companies to do to the EU Standard Contractual Clauses (SCCs) what Ron Livingston did to the printer in the classic movie, "Office Space," and to celebrate. (Break out your pieces of flare!) Right?
The answer to that is likely, no. Because, like "Office Space," many of us have seen this movie before: the EU and U.S. agree to a transfer mechanism to provide protection and make business a bit more fluid, and then…eventually… Max Schrems takes action, not unlike Bill Lumbergh ruining an employee’s weekend, but in our case, it’s all U.S. companies and for the foreseeable future. So, for the time being, it’s prudent for U.S. companies to continue filing their TPS reports (i.e., using the SCCs when transferring EU personal data to the U.S.) because even if it costs a bit more time and money now, having to backpedal later, after another Max Schrems victory, would be far more costly.
Nevertheless, it may be worthwhile for U.S. companies, whether they were Privacy Shield certified or not, to examine the new DPF and consider whether it is right for them. Except for incorporating in Executive Order 14086 (limiting what the U.S. intelligence agencies can do, and providing recourse mechanisms for non-citizens), the DPF doesn't have many substantive changes from the Privacy Shield. While some updates will be needed to certify under the DPF, they are generally manageable.
There are a few minor differences between the DPF and Privacy Shield that U.S. companies should be aware of:
- the $500 fee cap for annual re-certification has been removed (we don’t believe this will increase drastically, but will be possible); and
- the withdrawal process for DPF is much more detailed/involved than under the Privacy Shield, and potentially quite costly.
Companies wishing to withdraw (after certifying compliance with the DPF) will have to do one of the following:
- make annual filings with the Department of Commerce regarding continued DPF compliance in practice or similar adequate protection;
- enter into agreements with each data subject binding the company to the terms and principles of the DPF with respect to its processing of that person’s personal data; or
- returning or deleting all personal data collected while certified under the DPF (and the Privacy Shield before that, if converting).
None of these are practical, cost sensitive, or welcomed, but they will be the new law of the land, so consider carefully before certifying under the DPF (or converting over from the Privacy Shield).
In conclusion, there may be a few (competitive) advantages to a U.S. company certifying under the DPF, but if it is invalidated in the near future, as was the Privacy Shield, and Safe Harbor before that, the hurdles and costs associated with exiting the DPF (and possibly switching back to reliance on the SCCs) may make it more reasonable to hold off on certifying under the DPF, at least for a few years. In sum, it's not that U.S. companies are lazy (with respect to the DPF), it's a problem of motivation, and right now U.S. companies don't really have that.