As economies around the world are sputtering back to life following an unprecedented global pandemic, the EU and U.S. continue to face a massive disruption to a key business driver – the transfer of data between the two regions.
In the Schrems II case last July, Europe's highest court ruled that Privacy Shield, an EU-U.S. data transfer agreement, was invalid. The ruling also cast doubt upon the reliability of another transfer mechanism, standard contractual clauses (SCCs), citing concerns that U.S. surveillance authorities did not provide an adequate level of protection for the privacy rights of European citizens. Ever since, the already shaky future of transfers of personal data held by companies in the EU to the U.S. following Schrems II has grown even more uncertain.
The prospective economic impacts of a data flows stoppage in the EU and U.S. should be well understood by now. Cross-border data flows between the U.S. and Europe are the largest in the world. They power critical trade relationships and are valued at approximately 1.3 trillion U.S. dollars annually, accounting for half of both economies’ data flows.
Virtually all industries that conduct transatlantic business are affected by this uncertainty – including small and medium-sized enterprises, start-ups, and scale-ups operating in the U.S. and across Europe. Avoiding disruptions to data flows is key to minimize any negative economic consequences, particularly in the wake of the COVID-19 crisis and the ongoing economic recovery in both Europe and the U.S.
The good news is that productive negotiations are underway between the U.S. and EU to address the underlying issues in the Schrems II decision, which will result in a new agreement that protects privacy and avoids trade disruptions by enabling seamless transatlantic data flows consistent with fundamental rights.
Further, the European Commission is expected to soon finalize updated SCCs that contain supplemental safeguards allowing companies to use the transfer mechanism in adherence with the Schrems II judgment. Additional guidance is also expected from the European Data Protection Board.
In addition, the Organisation for Economic Cooperation and Development (OECD) has initiated a workstream that will develop a set of principles on “Trusted Government Access to Data held by the Private Sector” representing a consensus amongst OECD members who share a commitment to protecting fundamental rights, including privacy, and the rule of law, including legitimate law enforcement access. The OECD working group includes government representatives with law enforcement and national security expertise and will draw on the input of other stakeholders including privacy experts and businesses. The working group has already identified many commonalities in privacy safeguards regarding surveillance practices among like-minded democracies, and it is expected to publish a report in June. ITI and other organizations including the Business at OECD (BIAC) group issued a statement on May 5, 2021 supporting the OECD’s ongoing work and the need for a durable, multilateral, interoperable approach to ensure trusted government access to data.
Given the array of stakeholders who are simultaneously developing solutions to the issues raised by Schrems II, we trust a more durable and comprehensive solution is within reach. Enforcement of data protection rules is paramount, and is best achieved by attaining as the primary objective a lasting approach to ensure that companies large and small have legal certainty and that their customers can continue to benefit from their products and services and have reliable privacy protections.
Last July’s Schrems II ruling left many businesses scrambling to find an alternative without interrupting essential business operations. We should not let history repeat itself.