Privacy Shield: A strong framework for transatlantic digital trade

The Privacy Shield agreement has already improved data protection and digital trade between the EU and the US in its first year, and that should continue, writes Victoria A. Espinel.

Victoria A. Espinel is president and chief executive of BSA | The Software Alliance.

The EU-US Privacy Shield achieves the right balance between data protection and the need for uninterrupted data flows. In its first year, it has already improved protections for the personal data of EU citizens, and provides a foundation for the growth of innovative services on which our economies and job growth greatly rely.

As the Privacy Shield’s first annual review starts Monday (18 September), we should not underestimate the progress that has already been made to strengthen it.

The global economy is more interconnected than ever before. The amount of data being shared around the world has grown 45 times larger since 2005. And we expect an even sharper increase over the next decade, according to a McKinsey report.

Data flows transmit valuable information and underpin the movement of not only services and finance, but also goods and people. Almost every type of transaction today has both a digital and international component and therefore relies on the unhindered and uninterrupted flow of data.

EU privacy watchdog: Privacy shield should be temporary

European privacy watchdogs have received “a few” complaints about the privacy shield data transfer agreement with the United States since it was brokered one year ago, the EU’s top privacy advocate said in an interview.

This includes personal data, which always carries a higher level of protections to safeguard privacy. Protecting privacy and allowing data flows are not mutually exclusive – in fact, they are both essential as the EU seeks to reap the benefits of the global data economy.

The Privacy Shield framework successfully balances the two priorities. The agreement improves privacy protections and ensures that data can continue to flow across the Atlantic, supporting the EU-US trillion-euro trade relationship, by far the largest in the world.

It is important to understand how the Privacy Shield improves upon the protections of its predecessor, the “Safe Harbor” Framework. The new framework is the result of intense and constructive negotiations between the European Commission and the US government that ended in summer 2016.

Compared to Safe Harbor, Privacy Shield provides significant enhancements and considerably stronger data protection obligations for companies transferring EU citizens’ data to the United States.

Take commercial practices, for example. The Privacy Shield imposes stricter onward transfer requirements for third-party processing of EU data, and stronger monitoring and enforcement by US authorities. It also gives EU citizens several additional redress possibilities if they think their data has been misused, including the ability to lodge a complaint with the company or their local data protection authority.

Software companies are at the forefront of the digital transformation and are responsible stewards of the data that individual customers and companies across all industries entrust to them. Customer trust is key, and in order to retain it, software companies have placed privacy at the very core of their services.

There are 2,400 companies certified to the Privacy Shield, and they have invested considerable efforts and resources to revise their privacy policies and procedures to correspond to the agreement’s tougher privacy requirements.

These companies have changed internal compliance programs and oversight mechanisms, appointed privacy officers, and amended contracts with third parties that process EU-origin personal data, to name a few. Moreover, companies are taking substantial actions to comply with the EU’s new privacy regime, the General Data Protection Regulation, which will enter into force next year.

These changes complement the US government’s commitments under the agreement, including the establishment of an ombudsperson within the Department of State who will handle EU citizens’ complaints relating to surveillance activities.

The Privacy Shield’s more robust framework provides businesses with the legal certainty they need to continue operating and innovating, a fact reflected in its rapid adoption by companies both large and small, US and European.

Privacy Shield has already attracted a huge amount of companies in its first year: more than half the number of companies that previously certified during the Safe Harbor’s 15 years of operation. Legal certainty is not only important to Privacy Shield-certified companies, but also to their customers.

MEPs want Commission to toughen up Privacy Shield under Trump

The European Parliament wants the European Commission to ‘Trump-proof’ the Privacy Shield data sharing agreement between the EU and the United States after the new US administration threatened to roll back some privacy safeguards.