Consumer privacy is vital to long-term EU-US data partnerships
As part of The Drum’s Data and Privacy Deep Dive, Permutive’s Husna Grimes argues the case for clearer rules around cross-border data privacy and security.
/ Adobe Stock
On the surface, the newly released White House executive order implementing the long-awaited EU-US Data Privacy Framework appears to be a real step forward, but in reality, this is just the start of what will be a very long process. While data flows account for a large proportion of the $7.1tn US-EU economic relationship, this framework is unlikely to escape challenges in the EU courts and its future therefore remains uncertain.
In the past, the disparity between US and EU law has led to a huge amount of confusion, limited access to service providers, and more regular legal challenges, which in turn brought higher costs for companies involved. This executive order was presented as a potential solution to bringing an end to these issues, but we are already seeing challenges to this before the European Commission has even issued its adequacy decision.
So what can we expect over the coming months, and possibly years?
The next steps
The likely course of action at this stage is for the European Commission to assess this framework, together with the regulations issued by the Attorney General and propose a draft adequacy decision. As part of the adoption process for this, the European Commission will also get a (non-binding) opinion from the European Data Protection Board (EDPB) and approval from EU Member States. Only after that will they consider whether to adopt the final adequacy decision. It’ll likely be at the earliest March 2023 before we start to see this coming into place.
Despite all of this, the EU-US Data Privacy Framework may still be challenged in the courts after the adequacy decision is adopted. There are ongoing debates across the wider privacy community about whether or not the executive order provides effective redress for data subjects, or whether it is a sufficient system, given that it’s not law and could be revoked by a future president. This is supported by groups like noyb.eu, a non-profit organization for digital rights, which publicly state on their website that this executive order is unlikely to satisfy EU law.
The Data Protection Authorities (DPAs) are even getting involved now, with the DPA of the German state of Baden-Wuerttemberg raising concerns at the end of October on whether the additional safeguards provided by the executive order are sufficient to address the standards specified by the Court of Justice of the European Union (CJEU) in the Schrems II decision.
It will also be interesting to see whether any decision in the EU courts invalidating the arrangement would be followed in the UK. Businesses operating in the UK could face yet another set of regulations to operate within, but little is known about how far removed from GDPR these rules will be, following recent government announcements. If the UK and EU disagree on this US adequacy decision, this only gets more complicated. All of which adds to the so-called ‘red tape’ that the UK is intent on getting rid of.
What is clear is that businesses need more certainty about how they can transfer personal data to the US. It can’t be the intention of EU regulators and the courts to stop the free flow of data, and there has to eventually be a solution that satisfies the CJEU and is not just seen as a political stop-gap.
Nonetheless, at the center of any data protection regulation is, of course, the consumer. Whatever the future of data protection in the UK, EU and US, it’s the privacy of consumers which should be the first thought behind any decision.
The push of consumer privacy
Recent research, conducted by Harris Poll on behalf of Permutive, found that 89% of consumers in both the UK and US are more likely to spend with a brand that commits to protecting their personal data, rather than one that doesn’t. More importantly, 75% of consumers are not comfortable with buying from a brand with poor data ethics. This is evidence that there is a new era of privacy emerging where consumers are acting to protect their own data privacy and governments, as well as brands themselves, must respond.
Suggested newsletters for you
It is the duty of key political figures on both sides of the Atlantic to ensure that they respond to this clear mood change towards data privacy. Consumers are becoming more aware every day of the ways they can protect themselves and their data, and governments must put the most appropriate mechanisms in place to help guide this.
While it’s a hard balance for governments to strike, they must work together to reflect consumer sentiment and empower advertisers and publishers to prioritize privacy, while also ensuring they don’t prevent business growth through unnecessarily strict privacy laws.
Husna Grimes is vice-president of global privacy at Permutive. For more on how the world of data-driven advertising and marketing is evolving, check out our latest Deep Dive.