**This article first appeared on EURACTIV on September 18, 2017.**
The Privacy Shield agreement has already improved data protection and digital trade between the EU and the US in its first year, and that should continue, writes Victoria A. Espinel.
The EU-US Privacy Shield achieves the right balance between data protection and the need for uninterrupted data flows. In its first year, it has already improved protections for the personal data of EU citizens, and provides a foundation for the growth of innovative services on which our economies and job growth greatly rely.
As the Privacy Shield’s first annual review starts Monday (18 September), we should not underestimate the progress that has already been made to strengthen it.
The global economy is more interconnected than ever before. The amount of data being shared around the world has grown 45 times larger since 2005. And we expect an even sharper increase over the next decade, according to a McKinsey report.
Data flows transmit valuable information and underpin the movement of not only services and finance, but also goods and people. Almost every type of transaction today has both a digital and international component and therefore relies on the unhindered and uninterrupted flow of data.
This includes personal data, which always carries a higher level of protections to safeguard privacy. Protecting privacy and allowing data flows are not mutually exclusive – in fact, they are both essential as the EU seeks to reap the benefits of the global data economy.
The Privacy Shield framework successfully balances the two priorities. The agreement improves privacy protections and ensures that data can continue to flow across the Atlantic, supporting the EU-US trillion-euro trade relationship, by far the largest in the world.
It is important to understand how the Privacy Shield improves upon the protections of its predecessor, the “Safe Harbor” Framework. The new framework is the result of intense and constructive negotiations between the European Commission and the US government that ended in summer 2016.
Compared to Safe Harbor, Privacy Shield provides significant enhancements and considerably stronger data protection obligations for companies transferring EU citizens’ data to the United States.
Take commercial practices, for example. The Privacy Shield imposes stricter onward transfer requirements for third-party processing of EU data, and stronger monitoring and enforcement by US authorities. It also gives EU citizens several additional redress possibilities if they think their data has been misused, including the ability to lodge a complaint with the company or their local data protection authority.
Software companies are at the forefront of the digital transformation and are responsible stewards of the data that individual customers and companies across all industries entrust to them. Customer trust is key, and in order to retain it, software companies have placed privacy at the very core of their services.
There are 2,400 companies certified to the Privacy Shield, and they have invested considerable efforts and resources to revise their privacy policies and procedures to correspond to the agreement’s tougher privacy requirements.
These companies have changed internal compliance programs and oversight mechanisms, appointed privacy officers, and amended contracts with third parties that process EU-origin personal data, to name a few. Moreover, companies are taking substantial actions to comply with the EU’s new privacy regime, the General Data Protection Regulation, which will enter into force next year.
These changes complement the US government’s commitments under the agreement, including the establishment of an ombudsperson within the Department of State who will handle EU citizens’ complaints relating to surveillance activities.
The Privacy Shield’s more robust framework provides businesses with the legal certainty they need to continue operating and innovating, a fact reflected in its rapid adoption by companies both large and small, US and European.
Privacy Shield has already attracted a huge amount of companies in its first year: more than half the number of companies that previously certified during the Safe Harbor’s 15 years of operation. Legal certainty is not only important to Privacy Shield-certified companies, but also to their customers.