NRF’s meetings in the EU help retailers forecast future U.S. data regulations

Last week, NRF hosted its fifth annual retailer exchange meeting with high-ranking EU and U.S. officials. As we have each year, we learned plenty about EU data policy developments but also got a glimpse of the types of data laws we could eventually see here on this side of the Atlantic.

This year’s three-day set of meetings covered a range of issues, in particular the prospects for a successor to the invalidated EU-U.S. Privacy Shield, which is needed to create a new safe harbor agreement between the United States and the European Union covering customer and employee data that retailers transfer from Europe to America.

We also discussed the prospects for future EU regulation of artificial intelligence systems, a potential ban on targeted online advertising, and new EU legislation expected in a few months that would regulate business-to-business and business-to-government sharing of corporate data.

These annual meetings are beneficial to U.S. retailers on multiple levels. As anticipated, our members operating globally, either online or with a physical footprint in Europe, gain insights into forthcoming developments on a range of issues highly valuable to planning their future operations and policy advocacy within the EU.

Less obvious, but equally important, is that these meetings have proven important to retailers that operate primarily in the U.S. and focus on domestic regulations covering customer data practices. That is because the EU has been at the global forefront of regulating customer data collection and use, and its regulations have historically influenced the development of U.S. legislation on similar issues, principally privacy and data security laws.

For example, when NRF first took U.S. retailers to Brussels, the EU’s landmark General Data Protection Regulation had just been adopted and our members were determining how they would implement the measure for their European operations within the two-year period before the regulation would be enforced.

Working with our counterpart trade association and EU meeting co-host EuroCommerce and its members, we quickly found common ground on a range of data protection issues and agreed to develop a white paper discussing the transatlantic retail industry’s approach to implementing critical elements of the new regulation. The resulting GDPR Discussion Document for the Global Retail Industry was released in May 2018 just as the GDPR took effect, and the approach it proposed was well-received by the European Commission, the European Data Protection Board and EU member nations’ data protection authorities.

NRF’s work on the GDPR was important to our efforts in the EU but was also a precursor to our later advocacy work on U.S. data privacy issues, beginning with the California Consumer Privacy Act, which was adopted in the summer of 2018 with many of its provisions inspired by the GDPR. It continues to inform our advocacy work on federal data privacy legislation as we work to limit the unintended ways these laws hamper retailers’ beneficial use of data to better serve their customers.

While our visits to the EU have traditionally been held in-person in Brussels, we successfully transformed our program to a virtual format last year and this year, holding meetings with EU and U.S. officials located in Brussels over three half-days. We hope to return to Brussels next year.

In the past year, NRF and EuroCommerce reaffirmed their commitment to work together on transatlantic data protection issues, and in particular protecting EU-U.S. data flows following the invalidation of the Privacy Shield by the EU’s highest court last year. Without this safe harbor in place, U.S. retailers of all sizes that transfer customer or employee data from the EU run the risk of facing actions by EU data protection authorities.

In response, NRF and EuroCommerce formed a Joint Working Group for International Data Transfers tasked with identifying opportunities for our associations to jointly advocate with EU institutions on developing sensible rules for data transfers that provide greater certainty and are more easily implemented.

Last week’s meetings built on this work as we hosted officials from the European Commission, the European Data Protection Board, the U.S. Department of Commerce and the U.S. Mission to the European Union, which is based in Brussels. We were glad to learn that EU and U.S. officials appear to be gaining momentum in their efforts to come to agreement on a successor to the Privacy Shield, and we hope the process can be completed by the end of the year.

The meetings also proved fruitful in exploring forthcoming EU regulations. While our takeaways were plentiful, we would highlight these four:

1. The European Commission and U.S. Department of Commerce hope to reach an agreement in principle on a successor agreement to the EU-U.S. Privacy Shield by year-end, although formal approval on both sides of the Atlantic may take longer.


2. EU and U.S. officials are encouraged by the recent U.S.-EU Trade and Technology Council meeting and both sides value finding common ground on principles to address ecommerce policy concerns, including the use of artificial intelligence. In the EU, a new AI regulation “stakeholder consultation” has just opened, permitting industry to weigh in on liability issues that could impact U.S.-based retailers operating in the EU.


3. The EU Parliament may soon vote to either partially or fully ban targeted online advertising as an amendment to the Digital Services Act package expected to be adopted as early as this fall. A ban of any kind could severely impact U.S. retailers operating in the EU, and we might expect further pressure to limit targeted advertising here in the U.S. if the EU ban is approved.


4. The EU’s latest data proposal — the Data Act — set to be released in the next few months could significantly impact retailers by creating rules regarding business-to-government and business-to-business sharing of corporate data assets. With the text presently unavailable, it is unclear what anti-competition provisions and protections for proprietary data it will contain for U.S. businesses operating in the EU.

We encourage NRF members interested in participating in monthly discussions of EU data policy issues to join our Global Privacy Task Force, a subcommittee of our Privacy Committee, to help develop NRF’s position on these EU policies. That, in turn, will help our government relations team in its efforts to address similar proposals here in the United States.