EU-US Tech Allies: Industry compliance? The stakes of Transatlantic Data Flows
The transatlantic relationship is “the biggest and most economically significant partnership in the world”; both Presidents Biden and von der Leyen committed in March 2021 to “repair and revitalise the U.S.-EU partnership.” Moreover, the EU-US data flows make up a significant share of the EU’s data economy. Therefore, we need to find a pathway to a new Privacy Shield, as well as a viable solution to allow for data transfers in the meantime.
In this second session of DIGITALEUROPE’s EU-US Tech Allies Series, we brought key industry players and decision-makers together to take a look at the importance of transatlantic data flows, the role of standard contractual clauses (SCCs) as a reliable transfer mechanism, and the prospects for the swift re-design of the Privacy Shield, which was struck down by the 2020 Schrems II ruling by the European Court of Justice.
- Věra Jourová, Vice President for Values and Transparency, European Commission.
- Cecilia Bonefeld-Dahl, Director General, DIGITALEUROPE.
- Alex Greenstein, Director, Privacy Shield, U.S. Department of Commerce.
- Bruno Gencarelli, Head of international Data Flows and Protection Unit, European Commission.
- Irena Bednarich, Director Corporate Affairs EMEA, HPE and Executive Board Member of DIGITALEUROPE.
- Jussi Mäkinen, Head of Digital Regulation, Technology Industries of Finland and Executive Board members, DIGITALEUROPE.
The debate was moderated by Cecilia Bonefeld-Dahl, Director General, DIGITALEUROPE.
Renewed transatlantic ties give hope to a deal on the Privacy Shield
The Digital Decade won’t happen without open and trusted data flows. Data is at the heart of cross-border trade, development of key technologies such as artificial intelligence, and the key driver of Europe’s future economic growth. Access to data is creating value in all sectors, from health to manufacturing, and is now far from being considered a purely digital sector issue.
Yet, free flow of international data came to a halt following last year’s Schrems II ruling by the Court of Justice of the European Union (CJEU). In our Schrems II impact survey, DIGITALEUROPE found that 9 in 10 companies based in Europe exchange data internationally. And 85 per cent of companies rely on standard contractual clauses (SCCs) to do so.
With negotiations for an updated SCCs framework and an enhanced Privacy Shield between EU and US intensifying, where does the Commission stand? Věra Jourová, Vice President for Values and Transparency, acknowledged that both sides of the Atlantic have a challenging task ahead. The new US administration has given hope, she admitted, to a new and more positive EU-US relationship, ultimately bringing us closer to a deal. Crucially, she noted, transfers are not just about data protection, but about two like-minded regions working together.
In conversation with Director-General Cecilia Bonefeld-Dahl, Vice President Jourová stressed that any future agreement must be wholly compliant and consistent with the CJEU ruling on Schrems II: “we simply cannot have the new agreement struck down by the CJEU again, we must avoid Schrems III”.
“In the cooperation with the US, there is a new chance to set a dialogue and reinvigorate our alliance, inspiring the rest of the world. The GDPR is a global model: other regions are converging to similar rules. Renewed political commitment will ultimately translate into concrete workable solutions.”
While an update of the SCCs is still underway, VP Jourová acknowledged that progress has been made in collaboration with the European Data Protection Board. Speed must not come first, she insisted, but rather quality and robustness of agreement.
Speaking on the prospects of a swift agreement on the Privacy Shield, she stressed that the US and the EU must be able to find a solution that is based on common principles. The Commission, she said, remain highly confident that the transatlantic solution aligned with the ruling is possible.
It was concluded that, to relaunch the transatlantic relationship, it is imperative that the EU should not be considered a competitor with the US but rather a partner with common goals and values.
Data flows and data protection are now global issues and call for joint solutions
Moving to the panel discussion, Bruno Gencarelli , Head of the International Data Flows and Protection Unit at the European Commission, noted the landmark nature of the Schrems II ruling, acting as Europe’s compass: it was the first judgement ever to rule on a general framework for data transfers, rather than specific data transfer agreements as was the Schrems I case.
The ruling has made many policy makers re-assess how we interpret and apply certain GDPR provisions when it comes to third countries, and that means the issue of data flows and data protection is not strictly European but global. Gencarelli raised a thought-provoking question in his contribution: how do we protect a right in an interconnected, borderless world?
“What were once European–only issues are now becoming global issues. Finding a solution is complex, and not an easy balancing act, but as like–minded partners, the EU and the US should and will be able to find a solution.’’
Considering the specific challenges posed by data flows, he went on, it becomes clear that in order to achieve a credible, robust data protection framework, we must align on international rules. Indeed, data flows and data protection rules can and should complement each other.
Seconding this, Alex Greenstein, Director of Privacy Shield at the U.S. Department of Commerce, added that the stakes have only gotten higher as data flows have become an even larger portion of both US and EU economies. Indeed, President Biden considers finalizing the Privacy Shield a top priority.
He went on to caution, however, that the Schrems II ruling brought SCCs as a whole into question, and warned that the ruling has ultimately impacted all data transfer mechanisms at large, rather than just the Privacy Shield.
However, Greenstein praised the fact that SCCs were not invalidated by the ruling, allowing our economies to rely on viable transfer mechanisms – acting as a “saving grace”.
“It is important to remain optimistic that we can reach a deal. Since the EU and US are like–minded on principles, it’ll be very likely we can come up with a principle-based agreement.’’
Lack of legal clarity has disrupted European businesses’ daily operations
Pleased to hear about a renewed impetus for a new agreement and framework, Irena Bednarich (Director Corporate Affairs EMEA, HPE and Executive Board Member of DIGITALEUROPE) brought the first industry perspective to the panel.
In full agreement with Jourová that quality needs to come over speed when looking for a solution to the Privacy Shield agreement, Bednarich, too, stressed the necessity of time in order to get it right and avoid a Schrems III scenario.
Ultimately, granting industry with reliable legal consistency should be the priority – but what do we do in the interim? We must have practical solutions when using alternative data transfer mechanisms that will allow industry compliance with the ruling.
Indeed, referencing the DIGITALEUROPE survey, she stressed that only 9 per cent of companies are not transferring data outside of Europe – and 75 per cent of companies transferring data do so to more than one jurisdiction.
There was a consensus, therefore, that assessing the third country law is difficult and highly burdensome for industry. 94 per cent of the transfers take place across the Atlantic, so it’s evident that transatlantic alignment is the most urgent issue. Citing further findings, she stressed how 92 per cent of companies reported that reassessing the use of SCCs in compliance with the ruling caused moderate to high costs for them.
“There are a lot of concerns and troubling elements with the current draft EDPB guidelines. For example, encryption being considered as a predominant safeguard or supplementary measure for data transfers, regardless of the data and circumstances, would ensure that all the data being transferred is not readable. This would ultimately render the data pointless as the industry could no longer utilize it on any level.’’
Jussi Mäkinen, Head of Digital Regulation at Technology Industries of Finland and Executive Board member of DIGITALEUROPE, corroborating on this, emphasized that the vast majority of companies affected by this uncertainty are small and medium-sized enterprises, who lack data protection officers or even legal departments.
Ensuring compliance with complicated regimes, therefore, is extremely difficult. TechFinland and DIGITALEUROPE member companies are exporting globally, and that the ability to comply with the requirements listed in the EDPB’s opinion on supplementary measures is a monumental task for many.
‘Our members are concerned about how to keep their daily business growing in order to keep employees. We must think not only about how companies can comply, but how they can carry on with daily business.’’
Quality over speed to keep transatlantic data flowing
Throughout the discussion, there was a strong consensus that lack of legal certainty has disrupted businesses’ day-to-day operations, with dire consequences especially for the smaller players. It is fundamentally difficult for large companies to operate in these circumstances, let alone SMEs.
While the outcome of the Schrems II ruling makes a new agreement the top priority for both the EU and the US, we should favour quality over speed to ensure a robust outcome and avoid a “Schrems III” scenario.
What to do in the interim period? It was clear that until a satisfactory agreement – which takes into account the struggles of smaller companies as well – is reached, standard contractual clauses remain the most reliable and palatable solution for keeping transatlantic data flowing.
The EU-US Tech Allies Series is kindly sponsored by:
EU-US Tech Allies: The Digital Rulebook (3 June 2021, 16:10 – 17:30 CEST)