Blog | 03 Mar 2022

With the Privacy Shield regulation rescinded, here are four ways companies can protect their data—and themselves

Teri Robinson

Managing Editor, Thought Leadership

It’s not every day that a top executive at a major technology company calls for more regulation. But that’s exactly what Kent Walker, president of Global Affairs and Chief Legal Officer at Google and Alphabet, did recently when he called on the EU and the US government to finally sign off on a replacement agreement for the EU-US Privacy Shield that was thrown out by a European Court in 2020.

“The stakes are too high—and international trade between Europe and the US too important to the livelihoods of millions of people—to fail at finding a prompt solution to this imminent problem,” Walker wrote in an early-2022 blog post, after an Austrian court affirmed the ruling and just before France followed suit, with other EU nations expected to follow.

Alphabet and other US multinationals are right to worry. The so-called Schrems II decision, named after the activist who provoked a legal showdown over privacy, shattered the framework that defined what US-based companies must do to protect personal data flowing across borders, and left them at the mercy of European regulators who could at any time question their data protection practices. The case at hand involves the popular Google Analytics service, but the implications extend to the entire digital economy.

Interrupting the flow of data can have broad economic impact. According to research cited by the Congressional Research Service, restricting data flows between countries by just one percent can reduce gross trade output by 7%, slow productivity by 2.9%, and boost downstream prices by 1.5% over five years.

EU policies are one of many privacy issues besetting Big Tech, with Apple’s with strong stance on user tracking by advertisers blamed for Facebook parent Meta’s whopping loss last quarter—the second quarter in a row that the social media giant was rocked by a slowdown in growth. In terms of stock prices, at least, Apple so far packs more punch than the EU.

But the tensions between Europe and the US are serious, and anyone counting on quick regulatory relief may be disappointed. US government surveillance practices are at the heart of the matter, and those do not change easily. Most companies, meanwhile, are not ready for the bumpy ride ahead: Less than one-third of respondents to a recent survey for NTT DATA say their businesses are prepared for public policy changes.

Underprepared for tomorrows challenges

In lieu of a new agreement, there are steps US multinationals can take to protect their data—and their bottom lines—from the long arm of regulators, and knock-on effects that could echo across the global economy:

  1. Make a separate peace. Hammer out standard contracted clauses (SCCs) with individual EU and non-EU countries. The SCC is just about the only protective tool the EU court left for US multinationals to use. Be forewarned: While the contracts can be seen as a confirmation that data transfer and storage processes have been assessed, they are vague and the EU courts say the agreements are not above further legal scrutiny.
  2. Pick a strong privacy law and stick with it. Guide company policy by an existing (and strict) privacy regulation. That means adopting the standards set forth in the most stringent of rules, whether it is Europe’s GDPR or the California Consumer Privacy Act. That tactic may not offer full protection, but it will go a long way in convincing regulators that a company is serious about privacy.
  3. Stay the course on Privacy Shield. While it may no longer protect US companies, the strictures imposed by the now defunct agreement still represent the measures the EU believes constitute a serious commitment to privacy protection.
  4. Know your data. Companies can’t protect—or prove they’ve protected—data when they don’t know it exists, where it is located, how it is used, or who can see it. This may seem basic, but our research shows time and again that many organisations struggle with these building blocks of digital health.

The demise of Privacy Shield protections has not provoked the dire consequences organisations feared—yet. But as the world awakens from the inertia of the pandemic and heavyweights like Apple flex their privacy chops, US companies would be wise to act now to protect themselves.

You may be interested in


The TikTok Effect: The socioeconomic impact of TikTok in five European countries

Oxford Economics were commissioned by TikTok undertake economic modelling of the impact of SMEs using TikTok as an innovative platform for growth. To do this, we drew on new survey research, complemented by case studies of SMEs.

Find Out More
industrial workers


Machine tools boosted by US fiscal policies and tech spending

The US machine tool industry has navigated through volatile markets in recent years. While the number of new orders has come off its high point, they remain well above pre-pandemic levels, with producer inventories now reflecting a more normal operating environment.

Find Out More
tuk tuk


Ride-Hailing: a platform for Women’s economic Opportunity in Sri Lanka 

Our latest report delves into the transport challenges limiting women’s economic participation in the Sri Lankan economy and explores the role that ride-hailing can play in overcoming the mobility barriers that are holding women back.

Find Out More
Close-up of Person's Hand Using Ride Sharing App on Phone


Ride-Hailing: A Platform for Women’s Economic Opportunity in India

Our latest report explores the transport challenges limiting women's economic participation in the Indian economy and the role that ride-hailing can play in overcoming them.

Find Out More