EuroCommerce, The National Retail Federation (NRF) Release White Paper Supporting Transatlantic Data Privacy Framework

WASHINGTON — April 12, 2023 — Ahead of next week’s expected European Parliament resolution on an EU-U.S. agreement covering transatlantic data transfers, EuroCommerce and the National Retail Federation today released a white paper on the issue and urged institutions on both sides of the Atlantic to swiftly adopt and implement the framework.

“The new EU-U.S. Data Privacy Framework would represent a clear improvement over the former Privacy Shield program,” said Christel Delberghe, director general of EuroCommerce, which represents retailers and wholesalers in Europe. “Following more than two years of uncertainty and disruption, it will facilitate responsible data transfers for retailers and wholesalers alike.”

“U.S. retailers support a reliable and legally valid transfer mechanism that allows them to serve their customers in the EU while maintaining the highest data protection standards,” NRF President and CEO Matthew Shay said. “This analysis shows that the new framework would ensure legal certainty and provide a durable, long-term mechanism for safeguarding consumers’ data while benefiting consumers and businesses alike.”

In December 2022, the European Commission launched the process of approving the EU-U.S. Data Privacy Framework by issuing a draft adequacy decision concluding that the agreement provides adequate safeguards comparable to those in the EU. The European Parliament is currently preparing a resolution for publication next week.

The white paper prepared by EuroCommerce and NRF delivers a detailed legal analysis, particularly with respect to establishment of a new Data Protection Review Court under U.S. law. The analysis shows that the new framework would address cumbersome and costly-to-implement standard contractual clauses currently required for personal data transfers between the EU and the United States and would introduce improvements regarding the necessity and proportionality of government access in line with requirements of the European Court of Justice. That, in turn, would free up resources of retailers and wholesalers to further protect the privacy and security of consumers’ personal data by fortifying online system defenses, investing in advance personnel training and monitoring, and assessing privacy and security risks from service providers.

In addition, the white paper dives into the role of the Data Protection Review Court established by the United States for handling complaints of EU individuals implicating matters of U.S. national security. It confirms that the U.S. legal system authorizes creation of administrative tribunals like the DPRC, and that it would be comprised of qualified judges with independent authority to issue final and binding decisions directing remedial measures to be undertaken by U.S. intelligence agencies. EuroCommerce and NRF believe this mechanism meets Court of Justice requirements of providing adequate and effective redress to EU individuals.

EuroCommerce and the NRF encourage the European Commission to take the views of the European Council, the European Parliament and the European Data Protection Board into account and look forward to the timely adoption of a final adequacy decision and implementation of the Data Privacy Framework.

NRF and EuroCommerce have worked together on EU data privacy rules since 2016, holding annual joint meetings with EU officials with the goal of developing approaches to safeguard consumers while fostering regulatory certainty for transatlantic retailers. The previous Privacy Shield was struck down by the Court of Justice of the European Union, the EU’s highest court, in its July 2020 ruling in the Schrems II case. That ruling came only four years after the Shield replaced an earlier U.S.-EU Safe Harbor Agreement on transatlantic data flows rejected by the same court in 2015 in the original Schrems decision. Since 2020, standard contractual clauses approved by the European Commission have served as an alternative for businesses transferring data between the United States and the EU. Nonetheless, conditions set by the court on their use and supplementary measures recommended by the EDPB have made it more challenging and less predictable for retailers to rely on the clauses after Schrems II.

Posted: April 12, 2023

Source: The National Retail Federation (NRF)