Connecting consumers, employees, and service providers poses interesting challenges in today’s digital economy. Building a corporate culture that emphasizes confidentiality, integrity and the security of consumer data is not only an important business concern, but it’s also an important national concern striking at the heart of our economy.
The United States Department of Commerce (DOC) and multinational corporations struggle with the complexities of international trade. This includes important global economic considerations in a post Brexit world, a reference to the United Kingdom’s (UK’s) controversial referendum and ultimate withdrawal from the European Union (EU) in 2018.
Some argue that the UK’s decision to leave the EU restored national sovereignty and that the UK regained control over things like immigration and trade. There are others who would disagree. Some argue that the UK’s rising concerns over inflation and labor shortages are an ominous sign that Brexit may have been a terrible miscalculation.
There are complex issues in the Asian Pacific region, which includes ongoing data protection issues and the protection of corporate trade secrets and intellectual property. Reportedly, TikTok is at the center of multiple controversies in the United States, highlighting the existing turmoil over difficult legal, political, and social concerns for the nation. This has converged to the world’s 2025 economic crisis in President Trump’s Second Presidency, with his current trade policies and Middle East tour that is sharply focused on strengthening economic ties and diplomatic relations in the region.
It’s about attempting to understand our U.S. economy against a complex set of global factors. This includes understanding the UK and the world economy post Brexit, which includes examining the many different ways companies transact business globally with some of the more recent changes at DOC. It also helps to understand the current regulatory scheme that includes some of the more recent FTC decisions in the U.S. and globally involving companies like Google and Facebook.
In 2020, the EU-U.S. Privacy Shield was invalidated. This decision resulted from a rather important case out of the Court of Justice of the European Union (CJEU) commonly referred to as Schrems II, or Data Protection Commissioner v Facebook Ireland and Maximilian Schrems (Case C-311/18), which has serious implications for multinational organizations transacting business overseas and the U.S. Department of Commerce.
Large corporations like Facebook, Google, Apple, LinkedIn and Microsoft must deal with compliance issues surrounding cross-border transfers. This means that employees and stakeholders must have a broad understanding of privacy and data protection laws and regulations worldwide. Schrems II impacted these companies and DOC, resulting in policy-making privacy and data protection legislation across the country.
In the context of cross-border transfers, privacy and data protection law involves a careful understanding of the delicate balance between law enforcement requests for data and national security, as well as fundamental and global human rights guarantees.
When protecting corporations and employees both at home and abroad, the C-suite, corporate stakeholders, human resources, legal, information technology and other departments must understand important national security interests and partnerships available with agencies such as DOC, Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technologies (NIST) in the United States to better protect companies, critical infrastructure and other important interests impacting the nation. In many ways it’s becoming integral to conducting business transactions responsibly. With respect to most multinational or large-scale corporations, it’s necessary for regulatory compliance in this country and abroad.
Post Schrems, corporations began to use Binding Corporate Rules (BCC’s) and Standard Contractual Clauses (SCC’s) until a better framework could be negotiated. These are legal mechanisms agreed to between the European Commission and the United States to permit the transfer of consumer data between the EU to third countries that lack an adequate level of data protection. This is called adequacy. After Schrems II, a corporation like Microsoft using SCC’s must assess whether the laws of the recipient country ensure adequate protection, and implement additional safeguards to ensure compliance.
Adequacy is intended to protect the data of EU members when their data flows to the United States. SCC’s consist of standard contractual clauses that are intended to protect data and that allows controllers and processors to better comply with compliance obligations.
According to the European Commission, on June 4, 2021, the European Commission adopted two sets of standard contractual clauses, one is for use between controllers and processors within the European Economic Area (EEA) and one for the transfer of personal data to countries that lie outside the EEA.
On October 7, 2022, President Joe Biden Signed an Executive Order, titled “Enhancing Safeguards for the United States Signals Intelligence Activities.” The purpose of this order was to impose data limitation commitments. This imposes a data limitation obligation on U.S. intelligence agencies to access data that is necessary and proportionate. The order further commits to establishing a multi-layered redress mechanism, which includes independent Data Protection Review Court, to establish a procedure that would handle complaints from individuals located in the EU regarding data collection.
The purpose is to better establish trust as data flows between EU covered individuals and the United States. An effort to better strengthen trade between nations and to rebuild trust with respect to transatlantic data flows post Schrems.
The EU-U.S. Data Privacy Framework (DPF) replaced the invalidated Privacy Shield. This new legal mechanism established for cross-border transfers was intended to address issues raised in Schrems II concerning the lack of adequacy or protections for EU data subjects.