Shifting Global Privacy Demands For Business: What Leaders Need To Know
Dec 15, 2022 by Eric D. Reicin, President & CEO, BBB National Programs
As businesses continue to develop new and innovative technologies, they are also collecting more data from consumers. This increase in data collection may be having a negative impact on consumer trust in business. According to a recent PwC survey, there is a glaring gap between the trust consumers have in companies (30%) and the trust business leaders think consumers have in their organizations (87%).
Against this backdrop, new regulations and laws surrounding consumer privacy are going into effect at all levels, including transnational privacy agreements. This web of privacy change impacts a business’ day-to-day plans for how to collect, store and share data and advertise to its customers. The intent is to give consumers more control over what data they share and when, but the real onus is on every business leader to take necessary steps to enable that to happen, appropriately safeguarding the data and privacy of their customers.
Currently, the 5,000 businesses that rely on the EU-U.S. Privacy Shield framework for processing personal information from consumers—which U.S. Secretary of Commerce Gina Raimondo cites as being 70% composed of small to medium-sized businesses—are trying to figure out how to shift out of the limbo they have been living in for the last two years. That is because on October 7, the two-year-long U.S. and European Commission negotiations regarding the future of the data privacy frameworks behind the Privacy Shield program, impacting $7.1 trillion in transatlantic trade, were completed with the release of a Presidential Executive Order, passing the baton to the EU for the start of their adequacy process.
Though this new framework for the Privacy Shield program has been two years in the making, businesses are just now learning the impacts of the enhanced EU-U.S. Data Privacy Framework and what it may mean for their day-to-day operations. The Executive Order does not spell out how different the new framework may be from the existing Privacy Shield program, and some are questioning whether the new framework will be able to stand up to another Schrems challenge.
For some background, Austrian activist and lawyer Max Schrems originally filed a complaint with the Irish Data Protection Commissioner against Facebook in 2011, which alleged that the company violated the Safe Harbor agreement which protects EU citizens’ privacy. This complaint ultimately led to Europe’s highest court invalidating the EU-U.S. Safe Harbor framework in 2015. From this came the EU-U.S. Privacy Shield Program, which was later invalidated in the summer of 2020 with Schrems’ second complaint.
Fundamentally, Schrems I and II are about the same issue: U.S. government surveillance. Schrems simply modified his original complaint that invalidated Safe Harbor in Schrems I to continue pushing the issue of U.S. government surveillance. That push resulted in Schrems II and the lingering uncertainty over the validation of Privacy Shield.
The good news is that even if Schrems decides to file again based on this same rationale—government surveillance—the U.S. Department of Commerce believes the new framework should withstand the challenge because of the collaborative approach between Commerce and the EU Commission to ensure the issues identified in Schrems II were resolved by the Executive Order. During a session at a recent IAPP conference, Commerce’s ITA director Alex Greenstein explained: “At the start we looked at the 'Schrems II' decision as kind of a map for how to make these changes and directly address it in certain ways, and so one of the things in the (Privacy Shield) was the independence and the authority of the (data) ombudsman. So now we’re able to work with full knowledge of the 'Schrems II' decision, and that really has given us a lot more leeway to deal with the rest of those concerns. So, specifically, the redress mechanism throughout (the executive order) includes very robust protections against removal of influence.”
The European Commission has also expressed confidence in this new framework’s ability to stand up to future challenges, stating: “The objective of the Commission in these negotiations has been to address the concerns raised by the Court of Justice of the EU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the Executive Order, regarding both the substantive limitation on US national security authorities' access to data (necessity and proportionality) and the establishment of the new redress mechanism.”
While awaiting this additional guidance, business and nonprofit leaders can take some lessons from Schrems I to help them prepare for what is to come:
- Be prepared to update internal and external policies and procedures that may impact EU citizens based on the updated Privacy Framework and to engage with vendors that manage consumer data on your behalf to review and revise compliance procedures.
- Demonstrate compliance. Now, just as before, businesses should think about how they can demonstrate to business partners, consumers and regulators that their data handling practices remain aligned with EU data protection standards. This can be done by strengthening notices, reexamining data flows, and building additional safeguards.
- Businesses looking to further demonstrate their commitment to their customers can do so by providing them with free dispute resolution services for privacy complaints through a Commerce Department-approved Independent Recourse Mechanism (IRM).
Because privacy is so connected to constantly changing technologies, rules and regulations will continue to change to try to adapt to this reality. This process can be intimidating, but I suggest maintaining focus on your overall privacy posture. By working with the right IRM and/or outside counsel, leaders can ease the pain of the transition process and understand your obligations and responsibilities as they evolve.
Originally published in Forbes.