On July 10, 2023, the European Union adopted the new EU-US Data Privacy Framework (DPF) program, quickly dubbed the ‘adequacy’ decision. In short, the ruling states that the US has adequate protections in place to comply with EU data privacy standards. In concert, on July 17th, the United States publicized a new web site for companies to self-certify if they want to participate in cross-border data transfers. The DPF is designed to govern the flow of personal data from EU countries to the US in a way that complies with EU law as specified under the General Data Protection Regulation (GDPR). Unfortunately, the DPF is already failing to serve as the lighthouse to guide businesses away from the proverbial rocks of EU privacy laws. And, if the alphabet soup has you confused already, you’re not alone.
Shortly after becoming law, GDPR complaints were lodged against Google, WhatsApp, Facebook, and Instagram on the grounds of not obtaining proper consent for the data collected nor how it was intended to be used. The complaints centered around the concept of bundling consent to give up private information with the ability to use the service. This is strictly prohibited under the GDPR. These lawsuits have created a whirlwind of actions on the part of the US in attempts to comply, none of which have thus far met the mark. The US – EU Safe Harbor Framework dating back to July 2000, well before the GDPR, was superseded by the Privacy Shield Framework in 2015. Both fell far short of meeting the strict GDPR requirements, most notably with respect to US law enforcement’s ability to utilize collected data.
And, although the US did take steps to address the concerns through an October 2022 Executive Order, it’s predicted that DPF will also fall short on similar grounds, not going far enough to restrict law enforcement access to personal data. The fact that it relies on an executive order, which could be repealed by a future President, is expected to play a central role in legal challenges. Another remarkable gap pertains to the fact that the DPF is administered in the US by the International Trade Administration (ITA) within the U.S. Department of Commerce. However, US financial institutions are regulated by multiple agencies including the Federal Reserve Board (FRB), the Federal Deposit Insurance Corp. (FDIC), and the Securities and Exchange Commission (SEC). This gap is remarkable given the DPF document actually references the US government authority to obtain financial records with an administrative subpoena. Also notable is the fact that the Federal Communications Commission is responsible for regulating telecoms, creating another large gap in the DPF.
Pundits argue there is a fundamental deficiency in the US Constitution: it does not guarantee privacy. Currently, privacy concerns have been based on Fourth Amendment protections against illegal search and seizure. What little protection these laws and precedents afford do not extend to non-citizens. Any attempt to overturn this long-standing practice would likely be met with staunch resistance. Further, the lack of federal laws governing how public and private companies can collect, store and use personal data widen the compliance gulf between US businesses and EU law.
On a positive note, several areas of improvement have been identified and are expected to live on in future agreements if the DPF is invalidated. These include the right to obtain access to one’s own personal data, the right to correct inaccurate data, and the right to delete unlawfully processed data. Each of these may pose challenges to long-standing US business and advertising practices. Many organizations started collecting this information decades before the new regulations. Developing mechanisms to comply with the requirements may come at a steep cost for organizations that did not prepare ahead of the ruling. Under the DPF, the Federal Trade Commission (FTC) and US Department of Transportation (DOT) have the right to levy civil penalties of up to $50,120 per violation, and of the same amount per day for ongoing violations.
Amidst the chaos and murky waters that are EU privacy requirements, US businesses are begging for clarity. Unfortunately, the DPF fails to provide any specific clarity, signaling US companies to remain in a holding pattern. As with prior statutes, companies should continue to self-certify, this time with the DPF instead of the Safe Harbor requirements. For companies that want to comply with the spirit, and not just the letter of the EU laws, we recommend a comprehensive review of what data is collected and stored. And most importantly, US companies need to dramatically limit sharing of data to a need-to-know basis, even though this may have impact on the bottom line, as revenue streams from data sharing agreements dry up. In any case, one thing is clear, the DPF is not the lighthouse in the storm US companies have been seeking. Thus US businesses looking to deal in EU personal data should tread extremely cautiously to avoid penalties and legal challenges in these uncharted waters.