Privacy & Information Security Law Blog

On March 17, 2016, Bojana Bellamy, President of the Centre for Information Policy Leadership (“CIPL”), participated on a panel of experts at a hearing in front of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) about the new EU-U.S. Privacy Shield for commercial transfers of EU personal data to the U.S.

The Privacy Shield as an Effective Cross-Border Privacy Mechanism

Speaking as “a privacy professional” from the “trenches of corporate data privacy compliance,” Bellamy supported the Privacy Shield, arguing that it is an essential data transfer mechanism that will substantially strengthen data privacy in transatlantic data transfers and deliver effective protections to individuals. According to Bellamy, both European and U.S. companies need a wide spectrum of data transfer mechanisms, including the Privacy Shield, to reflect the diversity of today’s global data flows, companies and their transfer needs.

In discussing the specific commercial privacy enhancements of the Privacy Shield over Safe Harbor, Bellamy pointed out that Privacy Shield certification requires companies to step up their privacy practices, oversight and compliance. Companies will need to implement a comprehensive privacy program within their organizations and remain accountable at all times. This, according to Bellamy, is a significant improvement and guarantor of effective privacy protection and compliance.

She also noted the new oversight, enforcement and redress mechanisms, as well as the mechanisms for ongoing review and updating of the Privacy Shield. Together, these elements make the Privacy Shield, both “on the books and on the ground,” a significantly more robust program than Safe Harbor, and one that meets the requirements of the Court of Justice of the European Union (”CJEU”).

In answer to those who claim the Privacy Shield is an unsatisfactory response to the CJEU decision, Bellamy called for pragmatism and argued that even if that were the case, the Privacy Shield includes a process for ongoing review and modification designed for further improving and perfecting the mechanism.

Bellamy also indicated that the Privacy Shield must not be viewed by itself, as it builds upon strong protections in the new EU General Data Protection Regulation (“GDPR”). For example, under the extraterritorial jurisdiction provision of the GDPR, U.S.-based companies must already comply with the European legal requirements if they monitor or target European citizens for products or services, regardless of Privacy Shield participation. Thus, the Privacy Shield, to a large extent, simply improves enforceability of these requirements, according to Bellamy.

The Privacy Shield as an Enabler of the Modern Digital Economy

Bellamy also placed the Privacy Shield into the context of the modern data economy generally, and the goals of the European Digital Single Market specifically.

She discussed the Privacy Shield’s role as an enabler for European business to be more efficient, productive and connected. It is in the interest of the European Digital Single Market objectives that Europe benefits from exchanges of data, ideas, innovation, talent and people across the Atlantic.

She also touched on the fact that in the absence of the Privacy Shield, businesses would be forced to rely on limited transfer mechanisms that are less than optimal for many of them, as well as for consumer privacy due to, for example, the challenges associated with executing mechanisms in a timely fashion or for future and ever-changing data transfers. Similarly, she emphasized the need to re-introduce legal certainty for businesses that rely on transatlantic data flows.

To illustrate the value of data flows to the economy, Bellamy cited the March 2016 McKinsey report entitled Global Data Flows – Digital Globalization: The New Era of Global Flows. This report, Bellamy indicated, shows that there has been a dramatic increase in global data flows, resulting in the transmission of information and ideas as well as increased innovation, all of which has impacted economic growth to a degree of magnitude that the report calls “quite striking.”

Quoting from the McKinsey report, Bellamy stressed that “[c]ountries cannot afford to shut themselves off from global flows” because the new opportunities that are associated with the digital economy “will favor locations that build the infrastructure, institutions and business environments that their companies and citizens need to participate fully.” Thus, “creating thoughtful frameworks that allow data to move both securely and freely across their borders” is imperative for reaping the economic benefits of the digital economy. Bellamy emphasized to the LIBE Committee that creating such an environment includes having a robust, reliable and stable legal framework for cross-border data flows and that the Privacy Shield is fits the bill as a “thoughtful framework” to enable cross-border data flows.

Thus, according to Bellamy, rejecting the Privacy Shield based on an ill-advised “fortress Europe” mentality would not only be unfavorable for privacy, but would undermine the EU’s ability to successfully participate in what the World Economic Forum calls the “fourth industrial revolution.”