Introduction

‘Schrems II’ and EU-U.S. Privacy Shield: Severing a Critical Connection

The EU-U.S. Privacy Shield: A Bridge Between Different Approaches to Data Protection

Whatever the Legal Technicalities, Data Transfers are Necessary and Beneficial to Transatlantic Trade and Innovation

Who Used Privacy Shield, and What the Impact Would Be if There’s No Framework for Data Transfers

Privacy Shield’s Demise: An Uncertain, and Potentially Broad, Impact on Transatlantic Trade and Innovation

Conclusion

Endnotes

Introduction

The July 2020 decision by the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield will have an immediate and potentially long-term impact on the thousands of organizations that relied on it to legally transfer data abroad for operations, customer service, communications, research and development, and human resources. Data transfers are a necessity for trade and innovation in the global digital economy, especially during the COVID-19 pandemic. These organizations—mostly small and medium-sized businesses, from diverse sectors and countries—face considerable uncertainty about their alternatives for managing data transfers, as these options are more costly and complicated, and themselves now on shaky legal grounds. The other choice—de facto forced local data storage in Europe—is also costly and complicated for firms, and would divert resources from more meaningful steps organizations could take to protect data. Policymakers on both sides of the Atlantic need to realize what is at stake and urgently work together to establish a new legal framework.

A clear, predictable, and accessible legal framework for data protection makes it easier for organizations to manage and transfer data. Transatlantic data flows allow firms from all sectors to benefit from data-driven innovation, strengthen trade between countries in a growing range of digital and digitally-enabled goods and services, and expand consumers’ access to a growing variety of goods and services.^[1] The EU-U.S. Privacy shield was especially important to enable small and medium-sized enterprises (SMEs) on both sides of the Atlantic to transfer data abroad because they don’t have the resources or expertise to use other more costly and complicated legal mechanisms.

If policymakers do not create an alternative to the EU-U.S. Privacy Shield, firms from a broad range of sectors on both sides of the Atlantic will suffer—just as COVID-19 accelerates the digital transformation of our society and economy.

Attempts at reconciling the EU and U.S. approaches to data protection have long been deviled by concerns over surveillance and implicit protectionism. While both sides have agreed on legal tools to establish transatlantic data flows—initially the U.S.-EU Safe Harbor in 2000, and more recently the EU-U.S. Privacy Shield—EU courts have now undermined these efforts twice with the Schrems I and Schrems II rulings. Though the latest setback is no doubt frustrating for EU and U.S. policymakers, it has hopefully clarified where further work is needed to resolve the outstanding issues in order to develop a cooperative, integrated, and stable transatlantic relationship on digital policy. If policymakers do not create an alternative to the EU-U.S. Privacy Shield, firms from a broad range of sectors on both sides of the Atlantic will suffer—just as COVID-19 accelerates the digital transformation of our society and economy.

It’s an especially challenging context for EU-U.S. negotiations and any potential new agreement. Many policymakers’ views are shaped by recent bilateral trade and political tensions. There’s also a tendency for some to view digital policy through a singular lens that only focuses on leading American technology firms. Policymakers are also understandably preoccupied by other pressing issues, including the COVID pandemic’s health and economic impacts and preparing for an incoming Biden administration. This means that there’s a real risk that policymakers may not recognize the immediate and long-term consequences if this critical component of the transatlantic economic relationship is not quickly repaired or replaced. While creating a new solution will be challenging and require substantial work by both sides, thankfully, a history of good faith engagement, an openness to new ideas, and shared values provides a foundation for the EU and United States to create something that is mutually beneficial. 

This brief provides an overview of the EU-U.S. Privacy Shield, who uses it, and the impacts its invalidation could have on individual firms and digital innovation more broadly. Ultimately, policymakers need to realize what is at stake and prioritize creating a solution.

‘Schrems II’ and EU-U.S. Privacy Shield: Severing a Critical Connection

In Schrems II, the ECJ found that the data surveillance laws and compliance requirements for data processors in the United States made it impossible for firms to ensure that, once transferred, individuals’ data in the United States received equivalent protections to those in the EU. Specifically, the court identified Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, which allow U.S. intelligence agencies to collect data on foreign nationals, as inconsistent with rights guaranteed in the EU Charter.

The U.S. government disputes the merits of the ECJ’s ruling, arguing that the court did not consider many of the oversight functions in place, some of which have been made recently. For example, the U.S. Foreign Intelligence Surveillance Court actively monitors whether U.S. intelligence agencies properly target individuals to obtain intelligence information.^[2] In addition, U.S. laws, including FISA and the Administrative Procedures Act, allow foreign individuals to seek redress for violations in U.S. courts through civil lawsuits.

Moreover, there are serious questions about the rationale of the ECJ’s decision. The simple fact is that the vast majority of companies that used the EU-U.S. Privacy Shield have no data of relevance to national security, and are unlikely to ever be subject to a FISA-related request. Regardless, all participants in the EU-U.S. Privacy Shield have lost the ability to transfer data under this program even though it may be an unrealistic concern for most.

The simple fact is that the vast majority of companies that used the EU-U.S. Privacy Shield have no data of relevance to national security, and are unlikely to ever be subject to a FISA-related request.

The ECJ’s ruling invalidated the European Commission’s adequacy decision that allowed firms to self-certify under the EU-U.S. Privacy Shield. As a result, organizations are no longer able to use this framework to transfer personal data, and must use alternative transfer mechanisms. The Schrems II ruling upheld the validity of Standard Contractual Clauses (SCCs) with “supplementary measures” to ensure adequate protections. The European Data Protection Board’s (EDPB) recommendations on these measures provide some guidance, but considerable uncertainty remains in how to implement them alongside European Commission policy advice, past and upcoming ECJ rulings related to SCCs, and how each EU member state’s Data Protection Authority (DPA) will interpret and enforce all of these changes.^[3] However, there is still a lack of clarity around SCCs and what constitutes supplementary measures and sufficient data protection in the absence of an adequacy decision. Exporters can also use other legal alternatives, such as Binding Corporate Rules (BCRs) and derogations, to ensure compliance.

The EU-U.S. Privacy Shield: A Bridge Between Different Approaches to Data Protection

The EU and United States use bridging mechanisms—firstly, Safe Harbor, and most recently, Privacy Shield—as they manage data protection very differently, yet both realize the importance of data transfers for trade and innovation. The United States uses a risk- and accountability-based approach wherein firms remain legally responsible for managing data wherever they transfer and store it, whereas the EU uses a more rigid, compliance-based approach that restricts international data transfers to a small list of countries it says provide the same protection as the EU’s General Data Protection Regulation (GDPR).^[4] In making these determinations, the European Commission considers both the levels of legal protections in an importing country and the potential impacts of stopping data flows to that country. These determinations don’t allow onward transfer of EU personal data to third countries (unless they’re also deemed adequate or another legal tool is used). Because the EU does not deem the United States to have met its adequacy test, it has worked with the United States to establish a program to address the differences. U.S. firms, and EU firms with U.S. subsidiaries, must abide by these additional legal mechanisms to receive EU personal data.

Privacy Shield was a critical bridge in providing the additional safeguards that EU law required for transferring personal data from the EU to the United States. It provided an element of trust to EU consumers, a system of recourse, and an easier pathway to transfer EU personal data.

The EU-U.S. Safe Harbor framework, established in 2000, provided this bridge initially. After the ECJ invalidated Safe Harbor following the Schrems I decision, the United States and EU negotiated the Privacy Shield framework in 2016. Privacy Shield was developed to provide a more robust interoperability mechanism to manage transfers of EU personal data between the United States and EU. The agreement was welcomed on both sides of the Atlantic, with then-vice president of the commission Andrus Ansip noting that “[EU] businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic.”^[5] Likewise, then U.S. Federal Trade Commission (FTC) chairwoman Edith Ramirez stated that it was essential to “[ensuring] consumer privacy is protected on both sides of the Atlantic.”^[6]

Privacy Shield was a critical bridge between the two regimes in providing the additional safeguards that EU law required for transferring personal data from the EU to the United States. Privacy Shield provided an element of trust to EU consumers, a system of recourse, and an easier pathway to transfer EU personal data. Under Privacy Shield, organizations that intended to transfer data could self-certify adherence to a set of principles through the U.S. Department of Commerce, such as by including additional privacy and protection measures in their data transfer policies and practices.^[7] Organizations must continue to adhere to these principles in order to remain in compliance with EU law. Organizations paid an annual fee to participate in Privacy Shield. The annual fee was based on an organization’s annual revenue, which started at $250 for organizations with up to $5 million in revenue and ended with $3,250 for organizations that had over $5 billion in revenue.^[8] Thus, Privacy Shield was affordable, and thus accessible, to a broader range of smaller firms.

While affordable, Privacy Shield was not necessarily easy or cheap. It was much more than just a box-ticking exercise, as many firms invested considerable money, time, and effort to build new data protection policies and procedures as part of self-certification (and to maintaining compliance). For example, identifying and renegotiating contracts with outside vendors (to embed data handling requirements) involves considerable complexity and administrative costs. Unless firms were already subject to specific U.S. data privacy laws (such as the U.S. Health Insurance Portability and Accountability Act), they may not have had to do an inventory of their data and build out their data protection practices for EU personal data. Firms also had to provide a readily available independent recourse mechanism to hear individual complaints (at no cost to the individual).

While electing to self-certify is voluntary, the principles are legally binding, ensuring the framework provides consistent and universal safeguards for transatlantic data transfers. The FTC monitors compliance and has the authority to take legal action against companies that falsely claim Privacy Shield participation or compliance. In April 2019, the Department of Commerce started a system to do 30 spot-checks on firms each month to proactively ensure firms are in compliance with their commitments.^[9] In the first half of 2020, the FTC finalized settlements with at least 12 companies that misrepresented their participation in Privacy Shield or failed to comply with the Privacy Shield principles.^[10] Privacy Shield also provided an option for EU citizens to invoke binding arbitration to determine whether an organization has violated the agreement. The U.S. Department of Commerce set up a fund that all Privacy Shield organizations contribute to in order to cover arbitration costs (the fund and arbitration itself was managed by the International Centre for Dispute Resolution-American Arbitration Association).^[11]

Privacy Shield had a significant impact on the data privacy practices of many firms involved in transatlantic trade and innovation. It led many new, especially smaller, firms to allocate more resources and attention to data compliance, which left them better positioned to meet future data compliance requirements in Europe and elsewhere. Thus, the EU-U.S. Privacy Shield established a higher baseline for transatlantic data flows. EU and U.S. policymakers should recognize that this was a good-faith effort by the many firms involved in Privacy Shield, and a positive overall outcome in terms of improved commercial data privacy and digital trade. This is the progress they should aim to build on.

Whatever the Legal Technicalities, Data Transfers are Necessary and Beneficial to Transatlantic Trade and Innovation

The increased digitalization of organizations, driven by the rapid adoption of technologies such as cloud computing and data analytics, has increased the importance of data as an input to trade and commerce, impacting not just information industries, but traditional industries as well.^[12] Data flows are critical to the $7.1 trillion transatlantic trade and innovation relationship.^[13] The development, adoption, and consumption of data-driven goods and services is central to improved productivity and innovation, and thus standards of living, in the United States and European Union.^[14]

As the Information Technology and Information Foundation (ITIF) outlined in “Promoting European Growth, Productivity, and Competitiveness by Taking Advantage of the Next Digital Technology Wave,” the EU has an opportunity to make major strides in the next wave of digital transformation, especially in areas where it has competitive advantage, such as smart manufacturing and technology-enabled business services.^[15] But it will require the EU and the United States to put in place the right policies to allow the transfers of data that support the mutually beneficial movement and use of data, while obviously accounting for their respective approaches to data privacy.

The amount, type, and flow of data continues to grow exponentially. Companies collect and analyze personal data to better understand customers’ preferences and willingness to pay, and adapt their products and services accordingly. It is a simple fact that international trade involving consumers cannot take place without collecting and sending personal data—such as names, addresses, billing information, etc.—across borders. Likewise, modern innovation often requires the transfer of personal data, such as for clinical trials. But personal data is just one part of a broader flow and use of data. Organizations increasingly rely on data to monitor production systems, manage global workforces, monitor supply chains, and support products in the field in real time.

However, personal information is often intertwined with non-personal data. Thus, a restriction on personal data can act as a restriction on the use and transfer of the rest of the information contained in the data. Segregating different categories of information within particular data and within truly global cloud storage and data analytics systems is not straightforward. The Organization for Economic Cooperation and Development (OECD) report “Trade and Cross-Border Data Flows,” which surveyed 259 firms (headquartered in 48 countries, but mainly in the EU, Japan, and the United States) showed that it is costly and complicated for firms from all sectors to split personal and non-personal data.^[16]

Without the Privacy Shield framework, it’ll become more costly and complicated for organizations figuring out what safeguards are necessary. For SMEs, the additional cost of additional legal compliance and operational changes to IT systems may reach a tipping point that changes the cost/benefit ratio of transatlantic trade, thus leading them to withdraw.

Who Used Privacy Shield, and What the Impact Would Be if There’s No Framework for Data Transfers

The death of Privacy Shield will be felt across industries in both the United States and the EU. These firms represent virtually all segments of the global digital economy well beyond those considered “tech.” Privacy Shield’s growing importance is a direct reflection of the increasingly critical role of data and data flows to transatlantic trade and innovation. As of October 2020, 5,211 firms were actively self-certified under the Privacy Shield. Previous studies by The Future of Privacy Forum show that membership has grown significantly since its inception: from 2,177 in September 2017 to 3,703 firms in September 2018 (70 percent growth) to 5,348 in June 2019 (44 percent growth).^[17] The ECJ’s decision has likely contributed to the recent fall in active firms listed under Privacy Shield. Over 1,500 organizations used it to transfer human resources (HR) data (see figure 1).^[18]

Figure 1: Privacy Shield use by data category^[19]