Top EU court blows up data transfer agreement relied on by Google, Facebook, Amazon
Privacy Shield is dead, what now for U.S. brands and marketers doing business in the European Union?
Last week Europe’s highest court struck down the Privacy Shield framework, used by almost 5,400 companies for large scale data transfers between Europe and the U.S. The vast majority of U.S. tech and martech firms rely on this agreement, including Facebook, Google, Microsoft, Amazon and thousands of others.
The case was “Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.” Schrems is an Austrian privacy advocate who has sued Facebook multiple times and argued that his personal data was vulnerable to government surveillance if transferred to Facebook’s American servers.
Confusion and discontinuity. Bulk data transfers between the U.S. and EU will likely continue in the immediate aftermath under so-called Standard Contractual Clauses (SCCs) for data transfers, which were not formally invalidated by the court. SCCs are approved contracts that parties can use to transfer data outside Europe. And companies such as Microsoft have pointed to SCCs as a way to maintain continuity and assure customers (of cloud services) that there won’t be disruption.
As a practical matter, SCCs probably cannot be used any longer by U.S. companies (more on that below). This means there’s there’s likely no currently legal mechanism for large-scale transfers of European users’ personal data to the U.S. The decision creates potential exposure for U.S. companies continuing to do so. The U.S. Commerce Department and European Commission (EC) have both vowed to work on maintaining data flows across the Atlantic.
Yet it’s highly unlikely that a new framework can come together quickly, because it would essentially require a fundamental change in U.S. data privacy or national security law – or both.
Objections to U.S. data surveillance. The Court of Justice of the European Union (CJEU) ruled that the Privacy Shield framework, which replaced a similarly invalidated Safe Harbor agreement, does not give enough protection to EU citizens’ data when transferred to servers in the United States. The concern is that U.S. national security laws allow the government to conduct bulk data collection and surveillance without enough protection for EU citizens’ personal information.
In a nutshell, U.S. privacy laws are inadequate from an EU perspective. And current U.S. national security regulations are fundamentally at odds with European privacy laws and the GDPR in particular.
To correct the deficiencies of the Safe Harbor agreement, Privacy Shield had offered a number of enhanced protections and safeguards for European data. They required U.S. companies to adopt privacy policies with specific obligations to guarantee individual rights. The U.S. government also provided new assurances and dispute resolution mechanisms for Europeans. The CJEU found all of this inadequate.
SCCs probably won’t work for US companies. Lawyers and tech companies, as mentioned, are pointing to EU-approved SCCs to maintain operational continuity. Given the logic of the decision, SCCs will only be effective when the law of the country receiving the data meets EU privacy standards. The European data exporter (e.g., Facebook) will be required to ensure that the country receiving the data (i.e., U.S.) provides sufficient protection under EU law. This has implications for China and other authoritarian countries as well.
That scrutiny of recipient country privacy law would invariably trigger the logic invalidating the Privacy Shield in the first place: EU data protection is at odds with U.S. national security policies. Individual companies could try and adopt more protections but those enhanced safeguards would probably not overcome government surveillance. Companies would effectively need to go to court against the U.S. government on a regular basis.
Undoubtedly there will be more litigation in Europe if U.S. companies try to conduct “business as usual” under SCCs, which many are currently doing or planning to do. Like it or not Europe is forcing its privacy law on the rest of the world.
Why we care. Any U.S. company doing business with EU citizens has to comply with GDPR in the ways they collect and process user data. But that’s not enough; it’s probably the case — absent some major change in U.S. law — that European user data can’t even be transferred to U.S. servers. Indeed, the CJEU is objecting to behavior of the U.S. government, not private companies.
The way it looks now, U.S. companies will probably need to maintain and process user data locally on European servers. And marketers working with third parties that process data, including martech companies, will need to ensure that those vendors are compliant with the decision as well. But for now, most firms are going to rely on SCCs, while hoping that the EC and Commerce Department can work out something legally acceptable, which very much remains to be seen.