One year ago the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield, sending U.S. and European businesses that depend on data flows scrambling for alternatives. As negotiators work to find a solution that will protect international data transfers, some say part of the solution lies within a federal privacy law.
“We simply must enact a national uniform consumer data privacy law,” U.S. Rep. Suzan DelBene, D-Wash., said during the keynote address of a Brookings Institution event, “Trans-Atlantic data flows: What’s next after the EU-U.S. Privacy Shield.” DelBene continued, “With no federal standard, states are going at this on their own. While this is advancing the conversation, we need federal legislation that provides a national standard of protection no matter what state you’re in. A patchwork of state laws won’t work in our digital world, it will be incredibly complex for businesses, especially small businesses, and it won’t help us in negotiating a new framework for trans-Atlantic data flows.”
DelBene said data flows are “critical to our shared economic future,” while a surge in internet users — now more than half the world’s population today — and changes in how data is understood and used, “fundamentally changed the global economy and trans-Atlantic trade.” Nowhere is the digital trade relationship more important than between the U.S. and the European Union, she said.
“Data flows are foundational to a large and increasing amount of the $6.2 trillion U.S.-European economic relationship,” said DelBene, who called for a “quick and lasting” Privacy Shield replacement and introduced the Information Transparency and Personal Data Control Act. DelBene previously spoke with IAPP Editorial Director Jedidiah Bracy, CIPP/E, CIPP/US, about prospects for a federal privacy law.
“Personal privacy really is a foundational issue that we must get right, and frankly we’re already behind in creating a national privacy standard,” she said.
Just a few years ago, Brazil, China, India and the U.S. were the only four major countries without privacy laws, Alston & Bird Senior Counsel Peter Swire, CIPP/US, said. Brazil has now implemented its General Data Protection Law, and India and China are in the process of creating legislation, leaving the U.S. “as the main outlier globally for not having a privacy law,” Swire said.
“That puts the U.S. now at a real disadvantage in the world’s eyes when it comes to privacy,” Swire, who is also the Elizabeth and Thomas Holder Chair of Law and Ethics at the Georgia Tech Scheller College of Business, said. “You don’t want to pass laws just because everyone does it, but right now, the U.S. looks really different from the rest of the world and it’s harder and harder for us in the U.S. to make the case that the U.S. is a safe place for data to go.”
Brookings Institution Ann R. and Andrew H. Tisch Distinguished Visiting Fellow Cameron Kerry said the absence of a privacy law is the U.S.’s “original sin” in international discussions.
“Having a privacy law is really table stakes in these discussions,” he said. “The current system fundamentally lets companies set their own rules and puts no boundaries on data collection, use and sharing, and that results in pressure and a lack of trust from companies that are doing work around the world.”
Workday Vice President and Chief Privacy Officer Barbara Cosgrove said for the company’s global customers, addressing data flows is top of mind. The cloud management provider has pointed customers to use of standard contractual clauses and binding corporate rules and has continued to update its guidance as things move forward. But companies continue to anticipate a successor framework that will sufficiently protect data transfers.
“The amount of work we’ve put into this and communicating with our customers and being able to rely on those mechanisms, we’re very fortunate we are a larger company, that we have the resources, that we had a robust program,” she said. “Long term, we really need to see a successor framework so people can trust transfers can continue.”
Center for Democracy and Technology Co-Director, Security and Surveillance Project Sharon Bradford Franklin said to address concerns cited by the CJEU in the "Schrems II" ruling, the U.S. needs to make reforms in the areas of surveillance law and adequate redress for EU citizens.
“The opinion focused on the rights of Europeans, but really, the types of reforms that we would need to implement would help Americans, as well,” Bradford Franklin said.
While a federal privacy law is not the key to a Privacy Shield replacement, Cosgrove said it “would remove a lot of the arguments.”
“We are seeing across the globe countries implement privacy legislation and it’s becoming much more difficult to have that conversation. It doesn’t put us on an even playing field. We need federal privacy legislation to change the entire tone and tenor of the conversations to be able to easily demonstrate how we have these protections in place,” she said. “Having that alignment is going to be incredibly important for the durability of data transfer mechanisms, for us to be able to see those continue in the long term.”
Photo by fabio on Unsplash