- eco Association and i2Coalition promote an exchange on transatlantic data protection
- Discussion series between Internet industry and politics successfully concluded on 22 May in Washington D.C.
- Priorities: Reach a common understanding of what’s important in terms of privacy and strengthen the EU-US Privacy Shield
Representatives of the Internet industry from Europe and the US, along with US policy-makers, came together in Washington D.C. on 22nd May to pave the way for better transatlantic data protection.
The Washington event was the third and final gathering in a roundtable series which began on February 7th in Brussels, and then continued to Berlin on February 12th. All three roundtables were jointly hosted by eco – Association of the Internet Industry and the US based Internet Infrastructure Coalition (i2Coalition). The core focus of the dialogues was on the future of international data transfer between the EU and the US – and, in particular, on that of the EU-US Privacy Shield.
Participants of the high-level panel included Melissa Froelich, Committee on Energy & Commerce, Chief Counsel for Energy & Commerce Commission; Ned Michalek, Chief of Staff for Congressman Eliot Engel, Chair of the Foreign Affairs Committee and Energy and Commerce; Ram Mohan, CEO of Afilias; David Snead, General Counsel for cPanel, and Policy Working Group Chair and Co-Founder of the i2Coalition; Andrew Steele, US Department of Commerce and Specialist in International Trade Administration; and Oliver Süme, Chair of the eco Association and Partner & IT Lawyer Fieldfisher.
Importance of SMEs to the Economy – and Importance of Legal Certainty for SMEs
When legislators discuss how the Internet needs to evolve and how regulations need to be shaped, they need to take into account the needs of SMEs, who ultimately fuel the digital economy. This point was emphasized by both Christian Dawson, Executive Director of the i2Coalition and Oliver Süme, Chair of the eco Association. In Europe, SMEs make up the backbone of the economy and are mostly just on the cusp of going digital; this signifies massive opportunities for US providers – but only if data can be transferred with legal certainty. As such, according to Süme, “the area of international data transfer is one of the most important prerequisites for the further growth of digitalization in both continents.”
US Department of Commerce’s Stance on EU-US Privacy Shield
The panel viewed the Privacy Shield as being critical to US businesses in terms of demonstrating a commitment to taking customers’ information seriously. Since being instituted in 2016, the Shield has seen 4,600 US organizations become self-certified, and these numbers continue to grow. While a company’s decision to self-certify is voluntary, once it has publicly committed to the process, its commitments are enforceable under US law. According to Andrew Steele of the US Department of Commerce, the commitment of the US government to the Shield can be deduced not just from the substantial on-the-ground work of its team, but also from the positive findings of the second Annual Review of the Privacy Shield, undertaken in Brussels in 2018. Steele went on to reassure the gathering that, once confirmed by the Senate, Keith Krach, Under Secretary for Economic Growth, Energy and the Environment is due to finally assume the role of Privacy Shield Ombudsman.
Outlook for Privacy Legislation in the US
The panel’s US policy advisors both anticipated action on introducing privacy legislation in the US. The impetus behind this is seen to stem not just from constituents’ concerns on data breaches and sale of information, but also from the impact of the EU General Data Protection Regulation (GDPR) and the recently-introduced California Law. Both advisors urged companies to engage proactively for one national standard, in order to avoid a counterproductive patchwork system of legislation.
Learning for International Policy-Making
While the GDPR represents the most significant milestone in digital policy in the last 20 years, Oliver Süme noted that it is also not without its imperfections. A key lesson which should be heeded by other legislators is that the GDPR does not offer enough flexibility or make sufficient distinctions between big and small companies. Furthermore, the GDPR’s provision for a number of “opening clauses” and, in particular, its allowing each nation state to determine how employee data is dealt with, exacerbates the complexity for companies working in multiple jurisdictions.
In approaching policy-making internationally, the general consensus was that the priority should be on reaching a common understanding of what’s collectively important in terms of privacy. Here, David Snead of the i2Coalition underlined four crucial principles for the shaping of legislation: those of practicability, accountability, evaluation of legislative effectiveness, and system-wide application.
In the meantime, for transfer of data between the EU and US, the roundtable was of one mind: The priority should be to strengthen the Privacy Shield.
For a more in-depth insight into the roundtable dialogues, read the full report here.
