Will calls for stricter data privacy rules eventually discourage U.S. companies from pursuing European business opportunities? The European Data Protection Supervisor (EDPS), which monitors EU data protection policies, sharply criticized the EU-U.S. Privacy Shield in an official opinion last week. The Privacy Shield imposes stricter security requirements on the transfer of data from the EU to the U.S. – but the EDPS deemed even these stricter requirements inadequate.
Among other things, the EDPS rejected the idea that corporations can effectively self-certify their compliance with the Privacy Shield. Instead, the EDPS called for U.S. authorities to systematically monitor corporate compliance. The EDPS also advocated for allowing EU citizens to sue in the EU for damages caused by Privacy Shield violations.
It remains to be seen whether the debate about even stricter rules for data transfer will have a chilling effect on US companies’ activities in Europe. In any case, do not expect the debate to fade quickly.
[I]n an era of high hyperconnectivity and distributed networks, self-regulation by private organisations, as well as representation and commitments by public officials, may play a role in the short term whilst in the longer term they would not be sufficient to safeguard the rights and interests of individuals and fully satisfy the needs of a globalized digital world where many countries are now equipped with data protection rules.