WASHINGTON—More than 5,000 mainly small and medium-sized firms around the United States and Europe face significant costs as a consequence of the European Court of Justice (ECJ) decision last summer to invalidate the EU-U.S. Privacy Shield, according to a new report released today by the Information Technology and Innovation Foundation (ITIF). Transatlantic trade and innovation will suffer, the report concludes, unless policymakers replace the Privacy Shield with a new legal framework outlining how firms can legally protect EU personal data when they transfer it to the United States to provide the digital goods and services that now drive transatlantic trade.
ITIF’s report details how firms used the Privacy Shield for everything from business operations to customer service, communications, research and development, and human resources. Concluding that the Privacy Shield and data flows have played a key role in the $7.1 trillion transatlantic trade and innovation relationship, the report argues it is urgent that U.S. and European policymakers establish a new legal framework to facilitate them.
“The Privacy Shield program was the critical bridge that thousands of mainly small and medium-sized firms used to traverse U.S. and European data-protection laws. Given the cost and complexity of switching to other legal tools to transfer personal data on EU citizens, these small and medium-sized firms will be disproportionately impacted by the framework’s demise,” said Nigel Cory, ITIF’s associate director for trade policy and the report’s lead author. “The COVID-19 pandemic has accelerated the transition to a digital economy, and the role and importance of transatlantic data flows will only grow from here. Policymakers on both sides of the Atlantic need to recognize this and prioritize a collaborative effort to establish a new data-transfer mechanism.”
The report examines the 5,211 firms that were actively self-certified under the Privacy Shield as of October 2020, breaking them down according to their size, their industries and sectors, and the purpose of their data transfers. Contrary to a common assumption that the Privacy Shield and data flows in general are simply a tool of “big tech,” the analysis shows that two-thirds of firms using the program (65 percent) had less than $25 million in revenues, and 92 percent had revenues less than $500 million.
Similarly, the analysis shows that the Privacy Shield was used across a wide range of industries, not just information and communications technology. For example, there were more than 750 firms that provide business and professional services, nearly 300 firms in the health-care industry, and many others in industries ranging from agribusiness to education.
The analysis also shows that the Privacy Shield was being used by companies all around the United States, Europe, and the World, with 13 U.S. states home to more than 100 Privacy Shield users; hundreds of users headquarted in the EU; and many more in neither the United States nor the EU—from Japan’s Pokémon Company to Israel’s Teva Pharmaceuticals.
“Having an interoperable legal mechanism for data protection and digital trade is critical to the transatlantic relationship. The stakes of severing that connection are enormous—not just for the United States and Europe, but for the global digital economy, given the signal it would send if two partners that share common values can’t find a way to work together,” said ITIF Research Fellow Ellysse Dick, who co-authored the report with Cory and ITIF Vice President Daniel Castro. “It’s important EU and U.S. policymakers realize the enormous economic and innovation stakes involved and build a new bridge for transatlantic data flows.”
Read the report.
