With the Privacy Shield regulation rescinded, here are four ways companies can protect their data—and themselves
It’s not every day that a top executive at a major technology company calls for more regulation. But that’s exactly what Kent Walker, president of Global Affairs and Chief Legal Officer at Google and Alphabet, did recently when he called on the EU and the US government to finally sign off on a replacement agreement for the EU-US Privacy Shield that was thrown out by a European Court in 2020.
“The stakes are too high—and international trade between Europe and the US too important to the livelihoods of millions of people—to fail at finding a prompt solution to this imminent problem,” Walker wrote in an early-2022 blog post, after an Austrian court affirmed the ruling and just before France followed suit, with other EU nations expected to follow.
Alphabet and other US multinationals are right to worry. The so-called Schrems II decision, named after the activist who provoked a legal showdown over privacy, shattered the framework that defined what US-based companies must do to protect personal data flowing across borders, and left them at the mercy of European regulators who could at any time question their data protection practices. The case at hand involves the popular Google Analytics service, but the implications extend to the entire digital economy.
Interrupting the flow of data can have broad economic impact. According to research cited by the Congressional Research Service, restricting data flows between countries by just one percent can reduce gross trade output by 7%, slow productivity by 2.9%, and boost downstream prices by 1.5% over five years.
EU policies are one of many privacy issues besetting Big Tech, with Apple’s with strong stance on user tracking by advertisers blamed for Facebook parent Meta’s whopping loss last quarter—the second quarter in a row that the social media giant was rocked by a slowdown in growth. In terms of stock prices, at least, Apple so far packs more punch than the EU.
But the tensions between Europe and the US are serious, and anyone counting on quick regulatory relief may be disappointed. US government surveillance practices are at the heart of the matter, and those do not change easily. Most companies, meanwhile, are not ready for the bumpy ride ahead: Less than one-third of respondents to a recent survey for NTT DATA say their businesses are prepared for public policy changes.
In lieu of a new agreement, there are steps US multinationals can take to protect their data—and their bottom lines—from the long arm of regulators, and knock-on effects that could echo across the global economy:
- Make a separate peace. Hammer out standard contracted clauses (SCCs) with individual EU and non-EU countries. The SCC is just about the only protective tool the EU court left for US multinationals to use. Be forewarned: While the contracts can be seen as a confirmation that data transfer and storage processes have been assessed, they are vague and the EU courts say the agreements are not above further legal scrutiny.
- Pick a strong privacy law and stick with it. Guide company policy by an existing (and strict) privacy regulation. That means adopting the standards set forth in the most stringent of rules, whether it is Europe’s GDPR or the California Consumer Privacy Act. That tactic may not offer full protection, but it will go a long way in convincing regulators that a company is serious about privacy.
- Stay the course on Privacy Shield. While it may no longer protect US companies, the strictures imposed by the now defunct agreement still represent the measures the EU believes constitute a serious commitment to privacy protection.
- Know your data. Companies can’t protect—or prove they’ve protected—data when they don’t know it exists, where it is located, how it is used, or who can see it. This may seem basic, but our research shows time and again that many organisations struggle with these building blocks of digital health.
The demise of Privacy Shield protections has not provoked the dire consequences organisations feared—yet. But as the world awakens from the inertia of the pandemic and heavyweights like Apple flex their privacy chops, US companies would be wise to act now to protect themselves.
Tags:
