At the turn of the 21st century, the internet grew to become a vital conduit for trade. International markets became accessible to any organization or entrepreneur with a modem, and consumer data, known as personally identifiable information (PII), emerged as an important component of commerce. However, U.S. and European laws do not cover the same digital privacy rules, therefore a trade agreement known as Safe Harbor was enacted to harmonize the differences and to make it easier for companies to comply with a single legal framework.
For a decade under Safe Harbor, the U.S. and EU engaged in a robust cross-border trade of private citizen data that U.S. Secretary of Commerce Penny Pritzker recently stated is worth $260 billion. Then, in 2013, a CIA employee by the name of Edward Snowden blew the whistle on what he regarded as unconstitutional domestic surveillance and intelligence gathering activities. Europeans and the rest of the global community were shocked, a lawsuit was filed and, in October of 2015, the Safe Harbor framework was invalidated by what is now known as the Schrems Decision—the culmination of an erosion of trust that seemed to take U.S. industry by surprise but, in hindsight, was not at all surprising. Safe Harbor’s foundation was a long-standing assumption of trust between trading partners and that trust was broken.
In an effort to restore simplified cross-border data exchange, a new proposal known as the EU-U.S. Privacy Shield was drafted and submitted to Europe’s privacy watchdog group, the Article 29 Working Party, for ratification earlier this year. The first draft was rejected over what the EU’s privacy chiefs deemed to be inadequate protections and redress. While Europe’s Article 29 Working Party waits for a revised draft of the EU-U.S. Privacy Shield agreement, American companies with overseas interests must continue to engage in trans-Atlantic data-sharing—and many are worried about what to do while diplomacy plays out.
Even with the likelihood that a rewritten Privacy Shield will be adopted by the EU, there remains uncertainty. What is a company to do while waiting for a Privacy Shield agreement that is acceptable to the EU privacy commissioners?
The first step is for companies to recognize that they remain responsible for the way PII is protected and respected. Privacy Shield will make things easier than they would be otherwise, but compliance and the ongoing maintenance of trust takes effort. That means investing in programs, training and tools required to protect data. In the U.S., companies are already compelled to invest in systems and practices that comply with privacy and data security laws in order to protect the public. According to research firm Gartner, total spending on information security products last year eclipsed $75 billion.
Security alone is not enough. Contractual obligations between companies that meet the standards prescribed by the various jurisdictions are necessary. Once such contracts are in place, the governance of data transfers—assurances that both data security and data management policies are adequate to current legal standards and are being followed—must be documented in order to demonstrate to regulating authorities that operations are compliant with the law and with binding contracts. It is one thing to say you know the rules and still another to verify compliance. This is vital for the company’s own protection should privacy violations be alleged. And, of course, this should all be done with the support of legal counsel.
Trans-Atlantic data transfer did not end abruptly when Safe Harbor was invalidated. U.S. and EU trading partners continue to do business and will do so with or without Privacy Shield, and forward-looking companies would do well to recognize that data security is a challenge that will grow more difficult no matter what trade agreements are in place. Compliance is a floor or a ceiling, and companies should therefore set their own high standards for protecting and managing data. That is how to build and maintain trust.