Thousands of companies will face restrictions on storing information about European Union residents on U.S. servers, after the bloc’s top court ruled that such transfers exposed Europeans to American government surveillance without “actionable rights” to challenge it.
The surprise ruling last Thursday by the European Court of Justice, which invalidates a widely used EU-U.S. data-transfer agreement known as Privacy Shield, is a victory for privacy activists who have long said the U.S.’s surveillance practices should make it ineligible to store European data.
The decision, which pits European data-privacy concerns against US national-security priorities, will create legal headaches and potentially disrupt operations of thousands of MNCs like Amazon, Facebook, Google, Mastercard, to name a few only. Depending on how it is applied, the ruling could force some of them to decide between a costly shift toward data centers into Europe or cutting off business with region.
Blocking data transfers could upend billions of dollars of trade from cross-border data activities, including cloud services, human resources, marketing and advertising information about Europeans on US soil, tech advocates say.
Affected industries are calling on policy makers on both sides of the Atlantic to develop a ‘sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the trans-Atlantic economy.’
Eduardo Ustaran, Partner and Global Co-Head of the Privacy and Cybersecurity practice at Hogan Lovells, put it best: “The impact of this decision is immediate and global. It goes significantly further than the invalidation of the Privacy Shield as it requires companies to bear in mind other countries’ powers over data access when engaging in global data flows. This is a big job.”
US Commerce Sec. Wilbur Ross said he was disappointed with the ruling and was in touch with his European counterparts in the hope of limiting the ‘negative consequences to the US$ 7.1 trillion trans-Atlantic economic relationship.
Margarete Vestager, the top official in charge of digital policy and competition at the European Commission – the EU’s executive arm – said the bloc would look to replace the Privacy Shield. ‘We will work hard to make sure that data can be transferred,’ she said. ‘We are a data-driven economy.’
The EU and the US implemented the Privacy Shield agreement nearly four years ago, after a prior framework, called Safe Harbor, was scrapped in 2015 over surveillance concerns. More than 5,000 companies have signed up to the newer framework, of which more than 70% are small- and medium-sized businesses.
Under Thursday’s ruling, privacy regulator could block data transfers using the special contracts to other countries as well, lawyers say.
Thursday’s decision did not mention the UK’s exit from the EU. However, the ruling could complicate British efforts to ensure that companies can continue to store Europeans’ personal information after it ends a transition period from the EU.
The judgment invalidates the EU-US Privacy Shield. For now, the Court upheld the use of Standard Contractual Clauses (SCCs), but it added new considerations for organizations and authorities using SCCs as the transfer mechanism of choice.
EU Commissioner Didier Reynders (Justice), said in a press conference last Friday that he wants “a formal approval to modernize the Standard Contractual Clauses as soon as possible”. As to the future of the Privacy Shield, Reynders mentioned he expects the conversations with the United States to start on immediately. Once the analysis of the CJEU verdict is completed, the EU will work to develop “a strengthened and durable transfer mechanism”.
The European Data Protection Board intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organizations, and stands ready to provide the European Commission with assistance and guidance to help it build, together with the US, a new framework that fully complies with EU data protection law.
The ruling invalidates Privacy Shield as a method for cross-border data transfers and can have a wide-ranging impact on privacy professionals. Many companies rely in some part on Privacy Shield to conduct global business, operate in the cloud, and work with vendors.
Given that this just happened last Thursday, further guidance and statements are expected. We will keep you informed.
Please bear in mind that MNCs and BPOs in the Philippines are affected by this also, and we have to expect that privacy rules in other jurisdictions will be affected and be changed, such as the APEC Cross Boarder Privacy Rules (APEC CBPR).
If you have feedback, contact me at schumacher@eitsc.com.