After three years of negotiations, the EU gave final approval in July to a new deal that allows companies to store data about Europeans on U.S. soil. Companies can sign up to use the new framework, potentially simplifying how they handle personal data. Still, some corporate privacy officers said they are in no rush to do so, waiting to see whether the new agreement will be challenged in court and whether continuing to use existing privacy contracts, although it is more work, might make more sense.
Using the new deal, known as the Trans-Atlantic Data Privacy Framework, opens companies up to more regulatory scrutiny and requires privacy teams to go through extra work to make sure they meet requirements under the deal.
Since 2020, when the European Union’s top court ruled that Privacy Shield, a previous data agreement, was illegal, companies have been forced to use lengthy legal contracts to transfer data to the U.S. The court said the Privacy Shield left open the possibility that the U.S. government could access European data, posing risks to Europeans’ privacy.
More than 5,000 companies had used Privacy Shield to move data between jurisdictions. So far, around 2,500 companies have signed up to the new framework, according to the Commerce Department.
Some corporate privacy officers said they are used to their contractual arrangements now, even if they are time consuming, and might stick to those instead of signing up to use the new framework.
“We want to make sure it’s worthwhile,” said Alea Garbagnati, head of privacy at Adaptive Biotechnologies, a Seattle-based drug-discovery company. Garbagnati said she would determine in the next six months to a year whether to certify to use the framework.
The U.S. Federal Trade Commission has sanctioned businesses that didn’t comply with the Privacy Shield and the same could happen under the new framework, Garbagnati said.
After Privacy Shield was killed, some companies made moves to protect their data that they might not be able to easily undo, said Caitlin Fennessy, vice president and chief knowledge officer at the International Association of Privacy Professionals, a trade group based in New Hampshire.
In particular, some European companies switched from American to European technology providers, Fennessy said. Regulators told companies in several European countries that it was illegal for them to use services from U.S. companies, including Cloudflare’s cloud cybersecurity service and Google Analytics to track website traffic for digital advertising.
Many companies transfer personal data from Europe to the U.S. because they are multinationals and handle human-resources information in different jurisdictions, or they might move data abroad because it helps them provide certain services to customers. Companies also work with supply chains that could include service providers located in different parts of the world, requiring that personal data moves between countries.
For companies to become certified under the new deal, they need to agree to adhere to principles including the use of appropriate measures to protect personal data from unauthorized access, destruction or disclosure, and sharing data with third parties only if an individual consents.
Max Schrems, the lawyer who filed the complaint that led the EU court to strike down the Privacy Shield, has said he intends to file a complaint against the new framework.
EU officials said they expect complaints but aren’t concerned. “We believe that if there is a challenge, we can credibly defend this framework,” said Bruno Gencarelli, the top EU official who negotiated the agreement with the U.S., speaking at an online event last week.
Last year, President Biden signed an executive order giving Europeans the right to find out about and challenge suspected cases of U.S. authorities spying on their data. The change was intended to address privacy concerns raised in the 2020 court ruling.
California-based chip maker Ingram Micro can comfortably wait to see how the framework plays out, said Ronald Sarian, its global chief privacy officer, adding he hasn’t determined yet if the company will sign up.
Sarian said he would consider a “belt and suspender approach” of trying out the new framework while keeping existing multiyear contracts with business partners that include privacy safeguards.
Real Chemistry, a healthcare-focused marketing company based in San Francisco, favors the new framework over bespoke contracts, which take a long time to negotiate, said Dan Linton, its global data privacy officer. “Many of our contracts had longer data privacy sections than the main part of the agreement,” he said.
Even if companies sign up to the framework, they might have business partners that require additional contracts. If that is the case, companies might be going through the effort of certifying and only bringing on unnecessary regulatory risk, said Adaptive’s Garbagnati.
“It doesn’t seem worth it if our customers and the vendors we work with are just going to make us go do standard contractual clauses,” she said.
