EU flags

Last week, Europe's top court ruled that the Privacy Shield data-sharing agreement between the U.S. and European Union was invalid. In the ruling by the European Court of Justice, judges expressed concerns that Privacy Shield certification did not adequately protect the data of European citizens from U.S. surveillance activities in the same way they are protected in the EU.

The origins of the case go back to June 2013 when Austrian citizen Maximillian Schrems filed a complaint with the Irish Data Protection Commissioner against Facebook Ireland, in which he argued that Facebook Ireland, a subsidiary of Facebook, should be prohibited from transferring his personal data to the U.S.

He also successfully argued that the privacy law did not adequately protect his personal data. This complaint, though initially dismissed by the Irish regulator, eventually led to the European Court of Justice striking down the transatlantic US-EU Safe Harbor agreement that enabled companies to transfer data from Europe to the United States.

The EU-US Privacy Shield, created in 2016 to replace the Safe Harbor agreement, provided stronger protections for the personal data of EU citizens when exported to the U.S. Schrems went the court with this too and finally, last week, the EU Court of Justice, or CJEU, also struck it down.

Specifically, the Court found that U.S. law does not ensure the level of protection required by the GDPR, the EU’s General Data Protection Regulation, because in the United States the interests of national security, public interest and law enforcement have primacy over the fundamental privacy rights guaranteed within the European Union by virtue of the GDPR, which came into force in May 2018. 

Related Article: Why GDPR Is Still Creating Problems in the Enterprise

The Impact of the CJEU Decision

There are approximately 5,000 companies signed up to the Privacy Shield, which is essentially a self-certifying mechanism administered the by U.S. Department of Commerce. However, it should be noted that the ruling left open standard contractual clauses as an appropriate mechanism for onward data transfers subject to a case-by-case assessment of the merits of transferring data under this mechanism.

The Shield was intended to strengthen privacy rights consistent with GDPR, including adherence to core privacy principles of notice, choice, security, integrity, access, enforcement and accountability, said Andrew Pery, ethics evangelist at Milpitas, Calif.-based ABBYY. Perhaps the most important aspect of the Privacy Shield is more rigorous access, monitoring and enforcement mechanisms that were lacking in the Safe Harbor agreement.

The Privacy Shield required U.S. authorities to set up mechanisms for EU data subjects to seek redress in U.S. courts to safeguard their privacy rights, including access to an independent dispute resolution at no cost. Pery identified three major implications of last week’s decision:

1. Data Transfer

The decision has a broad impact on U.S. companies transferring data from the EU. The most immediate consequence is that the Privacy Shield is no longer a valid legal basis for onward data transfers between the EU and the U.S. and therefore, in the event of non-compliance, companies may be subject to EU enforcement mechanisms laid out in the GDPR regulation. 

2. Cross-Border Trade

Given the extensive cross-border trade relationship between U.S. and EU entities this ruling can create considerable barriers and hurdles to overcome, particularly digital companies that rely on the flow of digital content as the basis for their business. “ It should be noted that the principal complaint in the decision involved Facebook and their use of [EU] subscriber information for the purposes of monetizing such subscriber information, their implied consent to do so notwithstanding,” Pery said.

“While Facebook with their market power can navigate around the decision, most organizations will be challenged to do so and will likely incur additional costs to comply."

3. Case-By-Case Data Transfers

It should be noted that the ruling left open standard contractual clauses as an appropriate mechanism for onward data transfers, subject to a case-by-case assessment of the merits of transferring data.

“In the end, what is really needed in the U.S. is a more comprehensive federal privacy legislation that creates a balance between the flow of information and privacy rights,” Pery said.

Related Article: Could California Become an EU Data Privacy Darling

Re-evaluating Data Privacy Standards

In sum, Brittany Roush, director at McLean, Va.-based Crypsis Group, said businesses must now re-evaluate their data privacy standards yet again and introduce new mechanisms to protect data. For businesses that spent thousands, if not millions of dollars to become GDPR and Privacy Shield compliant, this ruling may feel like going back to the drawing board.

“With many companies still navigating these waters, it introduces new complexities, confusion and delays in getting these privacy programs implemented," Roush said. "Not only does this pose a risk to businesses but it poses a risk to those businesses' customers who expect their data to be protected.”

Global companies will still be able to operate because contractual clauses are still considered sufficient to protect cross-date transfers of data but there is an increased level of risk to businesses as they do not have the clear standards set by Privacy Shield to guide them

Roush added that it also it puts companies in a delicate position if their data is subpoenaed by U.S. authorities for national security investigations, particularly if that data may run afoul of EU regulations. They will have to decide between fighting the U.S. government or facing immense fines in the EU, neither of which puts the business in a good position. Introducing more risk and uncertainty during a pandemic and in the middle of civil and economic unrest is going to continue to put pressure on a struggling economy. That stress will be compounded if this ruling compromises the estimated $71 trillion economic relationship with EU businesses.

In a broader sense, Roush said, it might appear the EU is intending to push the U.S. to build a data privacy posture that is equivalent to the EU's. It is unlikely that the U.S. will capitulate, and even if they were willing to such an overhaul to data privacy would take years to accomplish. It would require new laws to be passed, a new regulatory body and framework to be established, companies to take the time and expend the resources to implement changes, and national security agencies to make a fundamental shift in how they conduct surveillance.

“What is clear is that U.S. businesses are holding their collective breath, waiting for enforcement standards to be provided by the EU so they can start to build a path forward,” she said.

EU vs. U.S.

Fred Cate, vice president for research at Indiana University, and an expert on cybersecurity, information privacy and security law, said the decision threatens a huge economic impact on both the United States and Europe. More to the point, it the highlights several inconsistencies in the relationship between the EU and the U.S. over data and data privacy, he said, including:.

1. Data Surveillance

The European Court of Justice judged the U.S. by a standard that no European government could meet. It found that U.S. surveillance powers threatened the data of Europeans without noting that European government surveillance powers pose similar or greater threats to the same data.

2. Data Movement

The decision struck down Privacy Shield but left intact other methods for transferring personal data to the U.S. This makes no sense since if U.S. surveillance poses a threat to European data, it poses it no matter what method is used to transfer the data into the U.S.

3. Other EU Trading Partners

The decision is oddly myopic because while focusing on the U.S., it ignores the surveillance activities of China, Russia and other major trading partners of the EU. It leaves an ironic situation in which despite all of the efforts to protect privacy, the court is making it more difficult to transfer data to the United States yet imposes no impediments to transferring data to China and Russia and other countries that have done little or nothing to protect personal privacy.

4. U.S. Security

The final irony is that U.S. surveillance powers extend to European data even if located in Europe. This case ignores the fact that under U.S. law data is more protected when located in the United States than if it is located elsewhere. If the European Court of Justice were serious about protecting personal data from U.S. surveillance it would require that data be stored in the United States where it would be more protected.

Scott Shackelford, cybersecurity program chair at Indiana University Bloomington and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, said the Schrems saga demonstrates the extent to which transatlantic privacy rights are diverging. This may not be the start to a digital privacy cold war, as some have feared, but it does underscore the extent to which the trade protectionism, privacy, and cybersecurity are converging.

It also highlights contrasting EU and U.S. views on internet governance generally, particularly with regards to digital sovereignty. The EU, for example, has sought to keep data on EU citizens within its territorial borders. Similarly, GDPR goes even further, asserting the EU's ability to regulate all data related to EU persons regardless of its storage location or place of origination. Following from other EU precedent such as the right to be forgotten and the EU antitrust cases, the EU is in some ways pushing a view of privacy that is quickly becoming the default global standard.