On March 17, 2016, Bojana Bellamy, President of the Centre for Information Policy Leadership (“CIPL”), participated on a panel of experts at a hearing in front of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) about the new EU-U.S. Privacy Shield for commercial transfers of EU personal data to the U.S.
The Privacy Shield as an Effective Cross-Border Privacy Mechanism
Speaking as “a privacy professional” from the “trenches of corporate data privacy compliance,” Bellamy supported the Privacy Shield, arguing that it is an essential data transfer mechanism that will substantially strengthen data privacy in transatlantic data transfers and deliver effective protections to individuals. According to Bellamy, both European and U.S. companies need a wide spectrum of data transfer mechanisms, including the Privacy Shield, to reflect the diversity of today’s global data flows, companies and their transfer needs.
In discussing the specific commercial privacy enhancements of the Privacy Shield over Safe Harbor, Bellamy pointed out that Privacy Shield certification requires companies to step up their privacy practices, oversight and compliance. Companies will need to implement a comprehensive privacy program within their organizations and remain accountable at all times. This, according to Bellamy, is a significant improvement and guarantor of effective privacy protection and compliance.
She also noted the new oversight, enforcement and redress mechanisms, as well as the mechanisms for ongoing review and updating of the Privacy Shield. Together, these elements make the Privacy Shield, both “on the books and on the ground,” a significantly more robust program than Safe Harbor, and one that meets the requirements of the Court of Justice of the European Union (”CJEU”).
In answer to those who claim the Privacy Shield is an unsatisfactory response to the CJEU decision, Bellamy called for pragmatism and argued that even if that were the case, the Privacy Shield includes a process for ongoing review and modification designed for further improving and perfecting the mechanism.
Bellamy also indicated that the Privacy Shield must not be viewed by itself, as it builds upon strong protections in the new EU General Data Protection Regulation (“GDPR”). For example, under the extraterritorial jurisdiction provision of the GDPR, U.S.-based companies must already comply with the European legal requirements if they monitor or target European citizens for products or services, regardless of Privacy Shield participation. Thus, the Privacy Shield, to a large extent, simply improves enforceability of these requirements, according to Bellamy.
The Privacy Shield as an Enabler of the Modern Digital Economy
Bellamy also placed the Privacy Shield into the context of the modern data economy generally, and the goals of the European Digital Single Market specifically.
She discussed the Privacy Shield’s role as an enabler for European business to be more efficient, productive and connected. It is in the interest of the European Digital Single Market objectives that Europe benefits from exchanges of data, ideas, innovation, talent and people across the Atlantic.
She also touched on the fact that in the absence of the Privacy Shield, businesses would be forced to rely on limited transfer mechanisms that are less than optimal for many of them, as well as for consumer privacy due to, for example, the challenges associated with executing mechanisms in a timely fashion or for future and ever-changing data transfers. Similarly, she emphasized the need to re-introduce legal certainty for businesses that rely on transatlantic data flows.
To illustrate the value of data flows to the economy, Bellamy cited the March 2016 McKinsey report entitled Global Data Flows – Digital Globalization: The New Era of Global Flows. This report, Bellamy indicated, shows that there has been a dramatic increase in global data flows, resulting in the transmission of information and ideas as well as increased innovation, all of which has impacted economic growth to a degree of magnitude that the report calls “quite striking.”
Quoting from the McKinsey report, Bellamy stressed that “[c]ountries cannot afford to shut themselves off from global flows” because the new opportunities that are associated with the digital economy “will favor locations that build the infrastructure, institutions and business environments that their companies and citizens need to participate fully.” Thus, “creating thoughtful frameworks that allow data to move both securely and freely across their borders” is imperative for reaping the economic benefits of the digital economy. Bellamy emphasized to the LIBE Committee that creating such an environment includes having a robust, reliable and stable legal framework for cross-border data flows and that the Privacy Shield is fits the bill as a “thoughtful framework” to enable cross-border data flows.
Thus, according to Bellamy, rejecting the Privacy Shield based on an ill-advised “fortress Europe” mentality would not only be unfavorable for privacy, but would undermine the EU’s ability to successfully participate in what the World Economic Forum calls the “fourth industrial revolution.”
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code