EU-US Privacy Shield

In September 2017, authorities from the European Commission and the US Department of Commerce gathered in Washington, D.C. to undertake the first annual review of the EU-US Privacy Shield. That transatlantic agreement was enacted in February 2016 to govern data flows between the European Union and the United States. 

The Privacy Shield replaces Safe Harbour, the data governance framework that was struck down by the European Court of Justice in October 2015 for violations of EU privacy law. The ECJ ruling stemmed from a lawsuit filed by the young Austrian lawyer Maximilian Schrem, who charged Facebook with sharing the personal data of EU citizens with US intelligence agencies. The Schrem-Facebook case echoed public controversy over Eric Snowden, the former CIA employee who disclosed the private surveillance operations of the US National Security Agency. The ECJ ruled that Safe Harbour did not ensure that companies undertaking transatlantic data transfers would respect the “fundamental rights” of privacy of EU citizens, prompting officials in Brussels and Washington hurriedly to negotiate an alternative framework. 

The Privacy Shield promises several improvements over Safe Harbour:

  • Strengthened safeguards on US governmental access to private data
  • Heightened monitoring of companies to ensure compliance with Privacy Shield rules
  • Expanded options for EU citizens to secure redress for privacy violations
  • Increased cooperation between the US Department of Justice and European Data Protection
  • Authorities
  • Appointment of a Private Shield Ombudsman to mediate transatlantic privacy disputes

American and European representatives meeting in Washington to review the inaugural year of the Privacy Shield jointly declared that the agreement provided an “adequate level” of protection of personal data transferred from the EU to the US. Facebook and other leading American technology companies (Amazon, Apple, Google, Microsoft, et al) herald the Privacy Shield as a workable framework that strikes a reasonable balance between the privacy rights of EU/US citizens and the imperatives of the global digital economy.

But the Privacy Shield faces a number of legal, regulatory, and political challenges. Maximilian Schrem and other European privacy activists continue to contest the legality of transatlantic transfers of personal data. On October 3, the High Court of Ireland (where Facebook and other American technologies operate their European headquarters) declared “well founded concerns” over US surveillance of Facebook information on Irish citizens warranting referral to the European Court of Justice.
The legal fate of the Privacy Shield has major implications for data flows between the EU and US, which constitute a growing component of transatlantic commerce.

Global Digital Economy 

These shifts in transatlantic data governance parallel a dramatic expansion of the global digital economy. Amid weak GDP growth worldwide and flattening of traditional foreign trade and investment, international digital exchanges are rapidly growing. McKinsey Global Institute estimates that between 2005 and 2014, cross-border data flows surged 45 times, far surpassing growth of international flows of conventional goods, services, and finance. In 2014 alone, digital trade contributed $2.4 trillion to global GDP. McKinsey predicts cross-border data flows will increase another 9 times by 2021 amid continuing progress in digital technologies (Big Data, Artificial Intelligence, Internet of Things, Cloud Computing, 5G Broadband). McKinsey Global Institute, “Digital Globalisation: The New Era of Globalisation”, March 2016.

The global digital economy includes the following sectors:

E-Commerce U.S.-based Amazon, China-based Alibaba, and other companies are leading the globalisation of e-commerce, which now represents 15 per cent of international merchandise trade.

Services Advances in digital and encryption technology are spurring the expansion of international trade in services (accounting, consulting, engineering, finance, human resources, law, etc.). 50 per cent of globally traded services are now digitised.

Manufacturing Manufacturing companies are deploying digital technologies (3D printing, IoT, radio frequency identification, computer aided design, etc.) to manage global value chains and promote international product development.

Social Media Social media companies (Facebook, Google, Instagram, Twitter, WhatsApp, WeChat, et al) employ data mining technologies to analyse the behaviour and preferences of consumers worldwide. 

Media and Entertainment Gains in digital technology are accelerating the globalisation of films, music, television, and video games.

Telecommunications Skype and other companies are transforming global telecommunications through low cost and broadly accessible VOIP (Voice Over Internet Protocol) technologies.

Life Sciences Biomedical companies are employing big data technologies to analyse mass information sets gathered from patients and healthcare providers worldwide, facilitating the development and commercialisation of new drugs and therapies.

While large multinational technology companies dominate current discussions of the global digital economy, small and medium enterprises stand to reap significant gains from this development. SMEs leverage the cloud computing platforms of larger industry players (e.g. Amazon Web Services) to scale out of their domestic markets. Such “micro-multinational” companies also engage online payments companies (e.g., PayPal) to manage international transactions and obviate investments in costly financial infrastructure. Similarly, cash-constrained startup firms utilise the digital technology platforms of industry incumbents to pursue “born global” business development strategies.

Digital Trade in the Transatlantic Region

The transatlantic theatre is the fulcrum of the emerging global digital economy. North America and Europe generate approximately 75 per cent of digital content for Internet users worldwide. American and European cities (Frankfurt, London, Amsterdam, Paris, New York, Los Angeles, Miami, Stockholm, San Francisco) represent the world’s foremost hubs for international communication and data exchange. As indicated below, the transatlantic region includes 18 of the top 20 countries in McKinsey’s Global Connectedness Index, which uses flow intensity (data flows relative to national GDP) and flow share (country shares of global data flows) to measure national integration in cross-border data exchanges.

MGI Connectedness Index: Cross-Border Data Flows

  1. Netherlands
  2. Germany
  3. United Kingdom
  4. France
  5. Sweden
  6. Singapore
  7. United States
  8. Belgium
  9. Ireland
  10. Finland
  11. Denmark
  12. Austria
  13. Switzerland
  14. Slovak Republic
  15. Czech Republic
  16. Spain
  17. Hungary
  18. Canada 
  19. Italy
  20. Japan

The digital economy promises significant economic benefits for both businesses (heightened productivity, increased efficiency, accelerated product development, expanded market reach) and consumers (increased product selection, improved quality, lower prices, faster delivery) in the transatlantic area. There remains substantial scope for growth of the digital economy on both sides of the Atlantic. According to McKinsey, the United States has captured just 18 per cent of the upside potential of the digital economy, while the major European countries have captured only 12 per cent.

Public Welfare vs Individual Privacy

Realisation of the potential of the transatlantic digital economy hinges on the formation of governance structures that reconcile public welfare (economic benefits of unfettered cross-border data flows) and individual privacy (protection of the personal information of citizens). It remains to be seen whether the EU-US Privacy Shield offers an acceptable compromise between these imperatives.

Data regulators in the US and EU are contending with the following issues:

Monitoring of Participating Companies
Company participation in the EU-US Privacy Shield is voluntary: American and European companies self-certify with the relevant regulatory agencies by affirming their commitment to the data privacy rules of the shield. Non-compliance with these rules can trigger legal suits, which has in fact occurred on a number of occasions since the consummation of the agreement. Some 1900 companies have enlisted in the Privacy Shield programme. including major digital technology companies like Amazon, Facebook, and Google that are deeply immersed in transatlantic data flows. But the majority of participating organisations are small and medium enterprises, illustrating the growing role of SMEs in the transatlantic digital market.

Alignment of Privacy Shield and GDPR 
In May 2018, the European Union’s General Data Protection Regulation (GDPR) goes into effect. GDPR aims to modernise and harmonise data privacy laws across all EU member states. The regulation covers a wide range of digital data issues (consent requirements, data breach reporting, information security, etc.) and applies to both EU-based organisations and non-EU companies with operations in Europe. The heavy fines for violations of GDPR (20 million Euros or 4 per cent of gross global revenues of the offending organisation) are intended to incentivisebusinesses to comply with the regulation. Compliance with the cross-border data flow provisions of GDPR depends on rigorous of the Privacy Shield provisions regarding oversight of American companies processing EU citizenry data.

The forthcoming exit of the United Kingdom (scheduled to occur in March 2019) raises potential complications with the Privacy Shield, which is framed as a bilateral agreement between the European Union and the United States. As a major partner of the US in the digital technology space, the UK will presumably need to negotiate a separate data protection agreement with Washington after departing the EU. Brexit will also entail the UK's exit from the EU's Digital Single Market programme.

Data Localisation
Notwithstanding the European Commission’s efforts to harmonise digital governance rules across EU member states, many data protection laws and regulations remain the purview of national governments that display wide differences on privacy issues. Small, open, ICT-intensive countries (e.g., Estonia, Ireland, Denmark, Finland, Benelux) generally support pan-EU digital liberalisation. Other countries exhibit greater caution regarding the tension between cross-border digital trade and individual privacy. Absent an EU consensus on the digital governance question, technology companies may face threats of data localisation (requirements to store data within particular jurisdictions) that could hinder realisation of the economic benefits of transatlantic digital trade.

This article was written by David Bartlett
Executive in Residence
Director of Global and Strategic Projects
Kogod School of Business
American University
Washington, D.C.

The publication is not intended to provide specific business or investment advice. No responsibility for any errors or omissions nor loss occasioned to any person or organisation acting or refraining from acting as a result of any material in this publication can, however, be accepted by the author(s) or RSM International. You should take specific independent advice before making any business or investment decision.RSM International is the brand used by a network of independent accounting and consulting firms. Each member of the network is a legally separate and independent firm. The brand is owned by RSM International Association. The network is managed by RSM International Limited. Neither RSM International Limited nor RSM International Association provide accounting or consulting services. The network using the brand RSM International is not itself a separate legal entity of any description in any jurisdiction. RSM International Limited is a company registered in England and Wales (company number 4040598) whose registered office is at 50 Cannon Street, London EC4N 6JJ. Intellectual property rights used by members of the network including the trademark RSM International are owned by RSM International Association, an association governed by articles 60 et seq of the Civil Code of Switzerland whose seat is in Zug. © RSM International Association, 2018