h1

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks: Why They Matter

September 13, 2019

by James Sullivan, DAS for Services, Industry and Analysis

The EU-U.S. Privacy Shield Framework marked its third anniversary on August 1st. Just this week, on September 12-13, the U.S. Department of Commerce and the European Commission conducted the Third Annual Joint Review of the Privacy Shield program (Review) in Washington, D.C.

In connection with the Review, the International Trade Administration (ITA) is spotlighting the origins of the Privacy Shield and its importance for transatlantic commerce.

What is Privacy Shield?
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Government and the European Commission and Swiss Administration, respectively, to provide companies with a mechanism to transfer data from the European Union (EU) or Switzerland to the United States while complying with EU and/or Swiss data protection requirements.

At its core, the Privacy Shield Frameworks establish robust and enforceable protections for the personal data of EU and Swiss individuals as companies transfer the data to the United States. The Frameworks require transparency from participating companies on how they use personal data, as well as strong oversight from the U.S. government, all in collaboration with EU and Swiss data protection authorities.

Companies participating in the Privacy Shield program commit to provide privacy protections determined to be adequate under EU and Swiss laws. While signing up for the Frameworks is voluntary, once a company self-certifies to the U.S. Department of Commerce and publicly declares its adherence to the Privacy Shield Principles, the commitments are enforceable under U.S. law.

With the global economy increasingly dependent on cross-border data flows, the Frameworks are vital for U.S. organizations currently doing business or looking to pursue  business opportunities in Europe.

A Short History, a Major Achievement
In July 2016, the European Commission determined that the EU-U.S. Privacy Shield Framework provides adequate privacy protections for the personal data of EU individuals. Shortly thereafter on August 1, 2016, ITA began accepting and processing self-certification applications. A similar arrangement with Switzerland followed in January 2017. Since that time, ITA has taken a number of steps to further strengthen the implementation of both Frameworks.

Just this month, , the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield reached milestones of having more than 5,000  and more than 3,300 participating companies, respectively. A full list of Privacy Shield participants is available at www.privacyshield.gov/list.

These participating organizations represent a wide variety of industry sectors and sizes, and more than 70 percent of participants are small and medium-sized businesses. All participants transfer data to the United States and have a presence there, with many U.S. subsidiaries of European companies having also joined the Frameworks.

PS Overview Blog Pie Chart 091319

Privacy Shield participants range from small companies (revenue less than $5 million) to large companies (revenue more than $5 billion).
Source: Office of Digital Services Industries (ODSI), Industry & Analysis, ITA.

A Transatlantic Win
U.S., EU, and Swiss companies are key Privacy Shield beneficiaries, as the Frameworks provide a clear mechanism to comply with data protection requirements when transferring personal data from the EU or Switzerland to the United States. By bridging the different regulatory systems in Europe and the United States, transatlantic commerce is preserved and promoted. In addition, compliance requirements are clear and cost-effective, which especially helps small and medium enterprises seeking to do business with Europe.

To join Privacy Shield, a company is required to self-certify with ITA and publicly commit to comply with the Frameworks’ requirements. The decision to participate in Privacy Shield is completely voluntary, but the public commitment is enforceable under U.S. law by the Federal Trade Commission or the U.S. Department of Transportation. The self-certification process is designed to be as clear and efficient as possible, and ITA officials are available to help companies along the way.

Any U.S. company certified under Privacy Shield must provide relevant individuals with information on personal data collected, including why it was collected and how it will be used. Privacy Shield also gives individuals options for limiting the use and disclosure of their personal data.

Finally, under Privacy Shield, EU and Swiss individuals for the first time have a defined channel to raise questions regarding U.S. government intelligence practices pertaining to their data. Privacy Shield also offers multiple avenues for filing complaints and seeking redress, and free independent dispute resolution to address other data protection concerns.

Why Does Privacy Shield Matter?
The economic implications of cross-border data flows are immense. Digital data flows underpin the $7.1 trillion in trade and investment between the United States and Europe.

Furthermore, they allow businesses in all sectors to cooperate across the Atlantic, engage in research and development with their counterparts, connect with global supply chains, and share data with subsidiaries located in different countries.

An increasingly digital economy also enables even the smallest companies to participate in the global marketplace—so long as they can transfer data across national borders to facilitate trade, investment, and innovation.

Moreover, by creating clear, enforceable personal data protection obligations on companies, Privacy Shield enables participating companies to better protect the privacy of their customers, promoting trust. Such trust ensures greater consumer confidence in the use of digital services and helps grow the market, creating jobs and opportunity, while providing valuable services to consumers.

To learn more about Privacy Shield and its importance to a successful transatlantic relationship, go to: https://www.privacyshield.gov.

Businesses interested in joining Privacy Shield can start the self-certification process here: https://www.privacyshield.gov/PrivacyShield/ApplyNow.

The Office of Digital Services Industries (ODSI) in the International Trade Administration (ITA) at the U.S. Department of Commerce promotes privacy policy frameworks that facilitate the free flow of data across borders, leads policy discussions on privacy with international partners, and addresses trade and commercial issues on evolving information and communications technology (ICT) services. It is part of ITA’s Industry & Analysis business unit, which helps to create the conditions for U.S. industry to innovate and compete globally.