Do the Right Thing for E.U. Privacy? Not Without an Enhanced Privacy Shield Agreement

The recent joint announcement by the U.S. Department of Commerce and European Commission that they have “decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework” was welcome news for the thousands of small- and medium-sized enterprises that rely on safe and secure data transfer across the Atlantic for the success of their business.

There is an urgent need to enhance the Privacy Shield Framework and re-establish a legitimate mechanism for transatlantic transfers of personal data. Last month’s glimmer of hope is tempered by the fact that until European and U.S. representatives complete their negotiations, U.S. companies of all sizes will remain in a state of uncertainty as to their privacy compliance.

Indeed, businesses in the United States have now endured more than eight months of uncertainty since the July 2020 European court decision known as Schrems II. With that in mind, the joint U.S.-E.U. focus on “facilitating trusted data flows” to support “economic recovery” strikes the right balance on preserving privacy rights while creating a workable solution that can allow for digital trade to continue.

The need for a seamless digital trade relationship between the European Union and the United States is critical, given the estimated $5.6 trillion in economic activity flowing across the Atlantic Ocean. All sectors of the U.S. economy rely on these data flows. A quick glance at the more than 4,400 companies on the Privacy Shield list shows that these businesses are involved in everything from professional services to infrastructure to manufacturing to retail. Not a single industry in America has remained unaffected by Schrems II.

BBB National Programs’ role as a leading Independent Recourse under Privacy Shield provides us with a unique vantage point into the impact this ongoing regulatory uncertainty has on business operations. Over 1,000 businesses of all sizes make use of our BBB EU Privacy Shield services, representing more than 27 percent of the market for private IRM services. 85 percent of these companies meet the E.U. definition of small- and medium-sized enterprises.

The businesses that rely on Privacy Shield want to do the right thing – to align themselves with E.U. values and find compliant solutions for data transfers. Despite the Schrems II decision, business commitments under the Privacy Shield Principles remain in force due to the unilateral support of the U.S. government. The fact that most participating businesses have remained committed to Privacy Shield shows just how valuable these transparency and accountability mechanisms are for businesses that have aligned their privacy practices with E.U. standards.

Another mechanism, Standard Contractual Clauses, is often cited as an alternative arrangement for a subset of the data transfers covered under a broad solution like Privacy Shield. But not only are SCCs impractical for small- and medium-sized enterprises when used for U.S. transfers, SCCs have been seriously weakened by the same Schrems II court decision.

In the coming weeks, we are likely to see just how tenuous SCCs remain. The resolution of the Irish Data Protection Commission’s challenge to Facebook’s use of SCCs will be an important clue. Depending on the outcome, this could be only the first of many such challenges.

The fact remains that the commercial safeguards already built into Privacy Shield were not called into question by the Schrems II court. That is why an enhanced framework is unlikely to require significant changes in the privacy practices to which Privacy Shield businesses commit. Instead, any adjustments to U.S. government practices and safeguards included in the new agreement will lighten the compliance burden for all businesses that process E.U. data, even those relying on alternative mechanisms like SCCs.

To be sure, there has been disagreement on how data transfer between the United States and Europe should be handled since American businessman Cyrus West Field laid the first transatlantic telegraph cable in 1858. But from telegraph to telephone, from coax to fiber, policymakers on both sides of the Atlantic have always figured out ways to resolve their differences.

By many accounts, great steps have been made in the past weeks to solve this most recent challenge, with renewed vigor from U.S. administration officials under the leadership of newly confirmed Commerce Secretary Gina Raimondo. But it is past time for both governments to fully prioritize this issue because a compliant solution is already well overdue. An enhanced Privacy Shield is needed in weeks, not months. Without it, this important trade relationship between democratic societies will continue to erode.

Eric Reicin is president and CEO of BBB National Programs, an independent, nonprofit organization that fosters trust in the marketplace through the development and delivery of third-party self-regulation, dispute resolution and accountability programs.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult