NRF and EuroCommerce agree to reinforce cooperation on data flows and privacy, successor to EU-U.S. Privacy Shield
Press release - Consumer protection
How to legally transfer customer and employee data across the Atlantic now that the EU-U.S. Privacy Shield has been invalidated by the European Union’s highest court was a key issue of discussion as EuroCommerce and the National Retail Federation held their latest Retailer Exchange Meeting this week.
“Retailers have a long history of nurturing customer relationships and meeting consumer expectations,” NRF President and CEO Matthew Shay said. “The safekeeping and responsible use of consumer data to improve the shopping experience is indispensable to the trust retailers earn with their customers. At no time in history has that trust been at a greater premium than in the current environment with the pandemic, when retailers have accelerated their digital relationships with customers to serve them in new ways during these challenging times. Protecting cross-border flows of data is incredibly important to global retail operations, and the invalidation of the Privacy Shield creates operational and legal challenges for retailers to seamlessly serve their European customers and maintain their workforces in EU member states. We are prepared to work with EuroCommerce to provide constructive input on these issues toward a pragmatic and workable solution that ensures the continued free flow of transatlantic data.” “Data is the lifeblood of retail, both in its relations with its supply chains, ensuring that the goods which people need find their way onto shelves at the right time and the right quantities, but also in respect of its customers, to ensure that it serves their needs and gains insights into constantly changing consumer expectations,” EuroCommerce Director-General Christian Verschueren said. “The increasing digitalisation of these processes, the development of the Internet of Things, the use of AI, robotisation and technologies such as blockchain have transformed how retailers do business. This has been accompanied by the rapid shift, accelerated by the impact of the COVID-19 pandemic to online and omnichannel purchases which has further underlined the importance of data to our sector. This means, in turn, that data needs to be able to move across borders efficiently, and where personal data is involved, to be handled in a way which engenders trust and ensures that customers can be confident that their data is properly protected and used responsibly.” The Privacy Shield was agreed by the European Commission and the U.S. Department of Commerce in 2016 to replace the 15-year old Safe Harbor agreement for transatlantic data flows that had been invalidated in 2015 in the Schrems decision by the European Court of Justice, the EU’s highest court. In its Schrems II decision this summer, the same court struck down the Privacy Shield after just four years, leaving the transfer of data under the program in legal limbo. The ruling assured the validity of existing European Commission-approved standard contractual clauses, or SCC’s that serve as an alternative transfer mechanism for businesses, but set additional conditions on their use that calls into question the continued reliance on SCC’s by global retailers.
EuroCommerce and NRF normally meet in person in Brussels but met virtually on Wednesday and Thursday because of the pandemic. The organisations’ members addressed the Privacy Shield and other issues among themselves, with experts from outside companies, and with senior EU officials including Justice Commissioner Didier Reynders, who is responsible for data protection.
At the meeting, NRF and EuroCommerce members agreed to continue and strengthen their cooperation in the coming year through joint work and dialogue focusing on a number of key issues with major implications for transatlantic data flows and for the retail sector, including:
- European Commission work on the modernisation of standard contractual clauses
- EU policymakers’ and the U.S. Commerce Department consideration of a successor to the Privacy Shield
- The work of the European Data Protection Board on guidance for additional safeguards for EU data outside its borders
- Clarification of privacy issues and the use of cookies
Separately, members also agreed to work together to address solutions to current issues in connection with payments. The two organisations have worked together on data issues for the last five years and in 2018 jointly issued a Retail Approach to Implementing Critical Elements of the GDPR.