While many in the United States were recovering from summer vacations and fireworks displays, the European Parliament passed a non-binding resolution that could lead to the suspension of the EU-U.S. Privacy Shield Framework. For the 3000+ organizations participating in Privacy Shield, this resolution may have a profound impact on the way firms conduct business in the EU. If the Europeans follow through on their threat to suspend Privacy Shield after the first of September 2018, participants may need to scramble for an alternative mechanism for lawful transfers of personal data from the EU, lest they run afoul of the General Data Protection Regulation (GDPR).
Such uncertainty can’t be good for business. The US enjoys a top ranking among the EU’s trading partners with $1.1 trillion in annual bilateral trade. The threat of suspending or invalidating Privacy Shield creates fresh anxiety for senior executives whose firms rely on the digital and global economy to prosper.
Disappointingly, companies interested in learning about Privacy Shield will find, on privacyshield.gov site, no mention of the dispute or its potential ramifications for participants. The relative lack of interest in this topic means that fewer news outlets will pick it up. This summer’s Privacy Shield developments have also been drowned out by the passing of the California Consumer Privacy Act of 2018.
Thus far, it seems that the only public statement coming from the Department of Commerce (Privacy Shield’s oversight body) is a July 17 meeting recap claiming a “productive discussion” between the European Parliament’s LIBE Committee and senior US officials from the National Economic Council, the Departments of Justice, Commerce and State, and the Office of the Director of National Intelligence. The released statement includes a document blandly summarizing US responses to many of the EU’s long list of grievances. What the press release lacked was a clear signal about next steps. Instead, we must wait to see what comes of these negotiations in coming weeks.
The ongoing tariff dispute between the US and EU degrades public confidence in the future of the Privacy Shield program. The current “misunderstanding” between the parties may lead to a protracted argument. Like the Safe Harbor program before it, the EU may choose to invalidate Privacy Shield’s “adequacy” status under GDPR Article 45. The result of such a decision would mean that the sides must regroup and come to consensus on a new data protection accord. Just as privacy practitioners experienced a few years ago, the lengthy limbo period between old and new will lead to much frustration among business leaders.
Some argue that the EU’s recent threat is a strictly punitive measure in the face of a zero-sum game. Others note that Europe’s concerns stem from a view that the Privacy Shield program – like its predecessor – does not deliver on promises to enforce data privacy practices among participants. These issues magnify the culture clash that emerges from different histories and sociopolitical perspectives on national security, foreign intelligence gathering post-9/11, and the role of privacy as a fundamental right.
If the Privacy Shield is Suspended, What Options Remain for US Companies?
From a legal perspective, GDPR Articles 46 and 49 offer several alternatives for lawful transfers of personal data from the EU to US. These alternatives may lead to new operational challenges for privacy leaders. Add to this the hassle of dismantling a Privacy Shield-focused compliance program and starting anew (this activity is almost always an unbudgeted expense). Regardless, organizations may need to pivot to one or more of the following mechanisms:
- Explicit Consent: Improves awareness through greater transparency; May not be appropriate for every type of business transaction.
- Binding Corporate Rules (BCRs): Complex and expensive; Appropriate for the largest multi-national companies.
- Standard Data Protection Clauses: Requires contract negotiations with each trading partner; Adds to firms’ contract management challenges.
- Participation in an approved industry Code of Conduct: Limited to certain industries, such as pharmaceuticals, digital advertising and marketing.
- Demonstrated compliance with an approved Certification program: Also limited; with uncertainty about which certifications meet EU standards for data protection.
- Derogations (Exemptions) for Specific Situations: Promising alternative for some companies; Requires documented review and business justification.
Which option above is best for your organization? Privacy experts will probably respond with a lawyerly “it depends.” It depends on myriad factors unique to each business function and process. It depends on an understanding of risk appetite balanced with organizational values and goals. In short, the suspension of Privacy Shield may require some to go back to the drawing board to develop new data protection solutions to meet the challenge of transatlantic data flows.
Adam Stone is Principal Consultant and Chief Privacy Officer for Twin Cities-based Secure Digital Solutions (SDS). With a focus in data protection, SDS provides expert guidance in building and maintaining programs that align with the needs of the business. Our team of seasoned professionals offers a rigorous approach to improving privacy and security management processes. We seek opportunities to improve performance and demonstrate meaningful results. Contact our professionals today at (952) 544-0234 or firstname.lastname@example.org.