Blog | 03 Mar 2022

With the Privacy Shield regulation rescinded, here are four ways companies can protect their data—and themselves

Teri Robinson

Managing Editor, Thought Leadership

It’s not every day that a top executive at a major technology company calls for more regulation. But that’s exactly what Kent Walker, president of Global Affairs and Chief Legal Officer at Google and Alphabet, did recently when he called on the EU and the US government to finally sign off on a replacement agreement for the EU-US Privacy Shield that was thrown out by a European Court in 2020.

“The stakes are too high—and international trade between Europe and the US too important to the livelihoods of millions of people—to fail at finding a prompt solution to this imminent problem,” Walker wrote in an early-2022 blog post, after an Austrian court affirmed the ruling and just before France followed suit, with other EU nations expected to follow.

Alphabet and other US multinationals are right to worry. The so-called Schrems II decision, named after the activist who provoked a legal showdown over privacy, shattered the framework that defined what US-based companies must do to protect personal data flowing across borders, and left them at the mercy of European regulators who could at any time question their data protection practices. The case at hand involves the popular Google Analytics service, but the implications extend to the entire digital economy.

Interrupting the flow of data can have broad economic impact. According to research cited by the Congressional Research Service, restricting data flows between countries by just one percent can reduce gross trade output by 7%, slow productivity by 2.9%, and boost downstream prices by 1.5% over five years.

EU policies are one of many privacy issues besetting Big Tech, with Apple’s with strong stance on user tracking by advertisers blamed for Facebook parent Meta’s whopping loss last quarter—the second quarter in a row that the social media giant was rocked by a slowdown in growth. In terms of stock prices, at least, Apple so far packs more punch than the EU.

But the tensions between Europe and the US are serious, and anyone counting on quick regulatory relief may be disappointed. US government surveillance practices are at the heart of the matter, and those do not change easily. Most companies, meanwhile, are not ready for the bumpy ride ahead: Less than one-third of respondents to a recent survey for NTT DATA say their businesses are prepared for public policy changes.

Underprepared for tomorrows challenges

In lieu of a new agreement, there are steps US multinationals can take to protect their data—and their bottom lines—from the long arm of regulators, and knock-on effects that could echo across the global economy:

  1. Make a separate peace. Hammer out standard contracted clauses (SCCs) with individual EU and non-EU countries. The SCC is just about the only protective tool the EU court left for US multinationals to use. Be forewarned: While the contracts can be seen as a confirmation that data transfer and storage processes have been assessed, they are vague and the EU courts say the agreements are not above further legal scrutiny.
  2. Pick a strong privacy law and stick with it. Guide company policy by an existing (and strict) privacy regulation. That means adopting the standards set forth in the most stringent of rules, whether it is Europe’s GDPR or the California Consumer Privacy Act. That tactic may not offer full protection, but it will go a long way in convincing regulators that a company is serious about privacy.
  3. Stay the course on Privacy Shield. While it may no longer protect US companies, the strictures imposed by the now defunct agreement still represent the measures the EU believes constitute a serious commitment to privacy protection.
  4. Know your data. Companies can’t protect—or prove they’ve protected—data when they don’t know it exists, where it is located, how it is used, or who can see it. This may seem basic, but our research shows time and again that many organisations struggle with these building blocks of digital health.

The demise of Privacy Shield protections has not provoked the dire consequences organisations feared—yet. But as the world awakens from the inertia of the pandemic and heavyweights like Apple flex their privacy chops, US companies would be wise to act now to protect themselves.

Tags:

Cybersecurity Digital Economy Forward Thinking Newsletter Public policy and regulations Technology World Post Covid

You may be interested in

Post

You don’t have to be an IT expert to lead on AI

The adoption curve for AI will vary across companies but, according to our data, it’s probably already in use in customer service and marketing—areas where women are more likely to hold leadership roles.

Find Out More

Post

How Asia’s supply chains are changing | Techonomics Talks

Global supply chains have continued to expand, despite talk of deglobalization and nearshoring. US and Japan have started to de-couple from China, but other G7 countries grow more dependent on Chinese inputs. Several "hotspots" are emerging across Asia with multiple winning formulas.

Find Out More

Post

Unlocking opportunities for small and disadvantaged businesses

On behalf of Amazon, Oxford Economics has assessed the impact of a scenario in which federal agencies can claim credit for purchases made with small and disadvantaged businesses across all online marketplaces.

Find Out More

Post

TikTok: Helping grow small and midsized businesses and deliver value for consumers across the United States

Starting in late May 2023, Oxford Economics, in collaboration with TikTok, initiated a study to better measure the economic value of the TikTok platform to local communities across the US. As part of the research, we surveyed 1,050 SMBs that use TikTok, and 7,500 TikTok users to learn how businesses and users interact with the app and leverage the economic and social opportunities it provides.

Find Out More