By Sam Sabin
April 20, 2021 at 11:43 am ET
Shopping channel QVC and ViacomCBS are among those that added Privacy Shield to its risk factors this year.
Beyond the tech industry, companies warning investors of this risk could be impacted by having international customers and overseas clients.
U.S. and E.U. negotiators only recently “intensified” their talks, according to Commerce Department
In the nine months since Europe’s highest court struck down a transatlantic data flow agreement between the European Union and the United States, companies have lacked consistent guidance on how best to forge ahead with data sharing without fear of possible retaliation while negotiators work out a new pact.
But now that corporate anxiety is being reflected in earnings reports with the Securities and Exchange Commission, according to a Morning Consult analysis of all SEC filings from publicly traded companies in 2020. Companies outside of the tech sector — like shopping channel QVC and ViacomCBS Inc. — have begun adding warnings to their investors about the possible revenue hit the court decision and continued discussions about a replacement deal could have on their businesses.
While publicly traded companies err on the side of caution in the risk factors section of their annual and quarterly reports, the emergence of such warnings months after the court struck Privacy Shield down underscore the growing concerns businesses of all kinds are facing as they await clearer guidelines for their day-to-day data transfers.
Justin Antonipillai, who co-led the United States’ negotiating team that established Privacy Shield in 2016 while he was at the Commerce Department, said the “ambiguity” over the timing of a replacement agreement has made such warnings to investors necessary.
In his current role as founder and chief executive of WireWheel, which helps companies manage their privacy programs, Antonipillai and his team help companies understand compliance requirements for the various privacy laws that have been enacted in recent years.
Given the minimal public comments from the Biden administration and the scope of the court decision that struck down Privacy Shield, Antonipillai said he suspects that for “a lot of public companies, it will become a standard disclosure” during the upcoming earnings window later this month.
In July, the Court of Justice in the European Union struck down a 4-year-old agreement between the United States and European Union to transfer data between companies in those regions, known as Privacy Shield, and called into question the most popular alternative to that framework: standard contractual clauses.
As such, companies have been left in the lurch with European regulators laying out conflicting guidance on how they can legally send data without risking a fine or other regulatory retaliation later on.
And as the Commerce Department announced last month that negotiations are “intensifying” between the two parties, European officials have warned that it could be years before there’s a satisfactory agreement.
While tech companies heavily reliant on data sharing, like Facebook Inc. and Alphabet Inc., had been warning about the impact this court decision could have on their business for months beforehand, companies in the retail, insurance, biotech, financial services and other consumer-facing sectors are newer to the party.
Some of the other companies that first warned about the impact of the July court ruling in filings this year include Jessica Alba’s natural home goods shop The Honest Company Inc., financial services company Western Union Co. and biotech group Revance Therapeutics Inc.
And while such companies might not seem obviously impacted by a data transfer business, each of them rely on cloud computing or have offices in other continents, making it more difficult for them to share data internally. For instance, QVC noted in its filing that its e-commerce business could be potentially impacted by the lack of a Privacy Shield replacement since it has international customers.
Jay Cline, PwC’s U.S. privacy services leader, said this is part of a larger trend of companies starting to disclose any and all privacy matters to investors since the implementation of the General Data Protection Regulation in 2018, rather than just cybersecurity matters.
“Boards needed to be educated on cybersecurity when it first became prominent. Now they need to be educated on what’s the difference between cybersecurity and privacy,” Cline said. “In that regard it’s easiest to talk about privacy from a compliance perspective. Boards will get that.”
As the E.U. ramps up enforcement of the GDPR and several U.S. states take up their own privacy laws this year in lieu of federal action, investors can expect to see even more disclosures about privacy issues in SEC filings, Cline said.
Gartner Inc., a global research and advisory firm, forecasts that 65 percent of the global population’s personal information will be under the purview of a modern privacy regulation by 2023, compared to the 10 percent that did in 2020.
“One of the major trends that we’re seeing across the industry is the elevation of privacy to be a CEO-level issue,” Antonipillai said.