Some businesses are exercising caution before signing up for a long-awaited new data agreement between the U.S. and the European Union. They want to determine if the benefits of the agreement outweigh the potential risks.
After three years of negotiations, the EU granted final approval in July to a new deal that permits companies to store data about Europeans on U.S. soil. Companies have the option to join the new framework, which could streamline the handling of personal data. However, some corporate privacy officers are not rushing to do so. They want to assess if the new agreement will face legal challenges and if it makes more sense to continue using existing privacy contracts, despite the additional work involved.
The implementation of the new deal, known as the Trans-Atlantic Data Privacy Framework, subjects companies to increased regulatory scrutiny and necessitates additional efforts from privacy teams to ensure compliance with the agreement’s requirements.
In 2020, the European Union’s top court ruled that the previous data agreement, Privacy Shield, was unlawful. Since then, companies have resorted to using lengthy legal contracts to transfer data to the U.S. The court determined that Privacy Shield left open the possibility of U.S. government access to European data, posing privacy risks for Europeans.
Over 5,000 companies had utilized Privacy Shield for data transfers between jurisdictions. Currently, around 2,500 companies have enrolled in the new framework, according to the Commerce Department.
Certain corporate privacy officers feel comfortable with their current contractual arrangements, despite the time-consuming nature, and may choose to stick with them instead of joining the new framework. Alea Garbagnati, Head of Privacy at Adaptive Biotechnologies, a drug-discovery company in Seattle, stated that they want to ensure the new framework is worth the effort and will make a decision within the next six to twelve months.
Garbagnati mentioned that failure to comply with the Privacy Shield resulted in sanctions from the U.S. Federal Trade Commission, and the same consequences could occur under the new framework. Caitlin Fennessy, Vice President and Chief Knowledge Officer at the International Association of Privacy Professionals, noted that some companies adopted measures to protect their data after Privacy Shield was invalidated, which may not be easily undone.
European companies, in particular, switched from American to European technology providers following regulatory guidance that deemed it illegal to use services from U.S. companies, including Cloudflare’s cloud cybersecurity service and Google Analytics for digital advertising’s website traffic tracking, in several European countries.
Many companies transfer personal data from Europe to the U.S. due to being multinational and handling human-resources information across different jurisdictions. They may also move data abroad to facilitate certain services for customers and collaborate with supply chains involving service providers situated in different countries, requiring cross-border data transfers.
To obtain certification under the new agreement, companies must commit to adhering to principles, including implementing appropriate measures to safeguard personal data from unauthorized access, destruction, or disclosure. Sharing data with third parties is only permitted with individual consent.
Max Schrems, the lawyer responsible for filing the complaint that led to the EU court invalidating Privacy Shield, intends to file a complaint against the new framework. EU officials anticipate potential challenges but express confidence in their ability to defend the framework if necessary.
President Biden signed an executive order granting Europeans the right to learn about and contest suspected cases of U.S. authorities spying on their data. This change aimed to address privacy concerns raised by the 2020 court ruling.
For California-based chip maker Ingram Micro, its Global Chief Privacy Officer Ronald Sarian stated that they can afford to wait and observe the framework’s outcomes before deciding whether to sign up. Sarian mentioned considering a cautious approach of trying out the new framework while maintaining existing multiyear contracts with business partners that incorporate privacy safeguards.
On the other hand, Real Chemistry, a San Francisco-based healthcare-focused marketing company, prefers the new framework to bespoke contracts, which require extensive negotiation. Dan Linton, its Global Data Privacy Officer, explained that many of their contracts contained lengthy data privacy sections.
Even if companies join the framework, they might still need additional contracts with their business partners. Alea Garbagnati from Adaptive Biotechnologies believes that this could entail unnecessary regulatory risk despite the certification process.
For further inquiries, contact Catherine Stupp at [email protected].
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
