Privacy Mandates in Transition as Privacy Shield Falls
The EU and US again part ways on privacy protection
Since its inception, the Privacy Shield has played an integral role for domestic companies when it comes to ensuring the privacy of data transfers between the EU to the US. However, a recent watershed ruling by the Court of Justice of the European Union (CJEU) has caused a seismic shift.
On July 16, the CJEU invalidated the Privacy Shield, marking the latest calamity between the US and the EU relating to privacy and data security. Given the wide-reaching impact of this protocol — and its centrality to sensitive, valuable work — this decision will have major ramifications on transatlantic commerce and trade.
An Ever-Evolving Legal Landscape
Until 2015, businesses operating across the Atlantic did so under the “Safe Harbor” agreement. This agreement was troubled, however, by the concerns raised by Edward Snowden about internet privacy. Austrian privacy advocate Maximillan Schrems filed a suit claiming that, in light of these revelations, the Safe Harbor protocol did not go far enough in protecting EU citizens’ data from potentially invasive collection by US governmental agencies, and the CJEU agreed.
In place of Safe Harbor, they devised the Privacy Shield. The Privacy Shield framework allowed American companies to certify that they were operating in compliance with EU privacy laws. But this framework did little to assuage concerns on the part of European commentators. As such, Schrems filed suit again — and won again — with the Court ruling that the guarantees of the Privacy Shield were inadequate to meet the privacy standards of the EU General Data Protection Regulation agreement (GDPR).
The impact of the decision will have wide-ranging implications on how US companies operate with their European counterparts. In the wake of the ruling, US Secretary of Commerce Wilbur Ross issued a statement emphasizing the importance of mitigating the potential damage of the invalidation of the Privacy Shield. “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments,” stated Ross.
The Impact on Companies Throughout the Globe
This decision has a number of ramifications for businesses in the United States and abroad. Without a streamlined means of transferring sensitive data between the EU and US, companies working between the two territories will have to rely on SCCs (standard contractual clauses), which are non-negotiable and drafted with no input from US entities. These agreements are, on the whole, much less of a streamlined process than the Privacy Shield — and even they might be on their way out.
Many major tech companies, including Microsoft, have been using SCCs for some time, often alongside the Privacy Shield. But the same privacy advocates that raised concerns about Safe Harbor and Privacy Shield have argued that SCCs likewise do not go far enough to meet the requirements of the GDPR. This has led many to speculate that they too will eventually be phased out by European officials sooner rather than later. It remains to be seen what, if anything, will emerge to replace the Privacy Shield.
This creates an air of uncertainty, particularly for companies, law firms and service providers concerned with eDiscovery, which often relies on the transfer of data, much of which contains sensitive or personal information, for clients all over the world. In the interim, until the dust settles around this decision, it is paramount for anyone involved in eDiscovery to quickly adapt based on the Court’s decision.
How Businesses May React
It is always crucial that companies dealing in sensitive data take strong steps to ensure that their clients understand the ways in which such data may be collected or used, and make sure that sensitive or personal information is protected. However, in light of the Privacy Shield ruling, it is more important than ever.
The development of a robust and efficient SCC process will no doubt be crucial to reducing any potential increase in overhead or turnaround time engendered by this decision. Beyond that, keeping abreast of the latest developments in the ongoing battle over privacy is a necessity for affected companies, lest they be blindsided by another decision such as this.
It is unclear how the US and the EU will proceed on this matter from here. The phrasing of Secretary Ross’s statement suggests that the US may still be attached to the framework of the Privacy Shield. Meanwhile, the uncertain fate of SCCs suggests that the EU may be preparing to shake things up once more. Industry organizations, including the Computer & Communications Industry Association (which operates in the United States and in the EU) have called on lawmakers on both sides of the Atlantic to come to a timely and long-lasting agreement.
Ultimately, the value of transatlantic commerce is not lost on lawmakers in either the US or the EU. And though the immediate legal and economic aftermath of the Court’s decision is unclear, there is a strong incentive for companies and lawmakers alike to swiftly find a way to mitigate any potential damage.
For more news on Privacy, see “Will Privacy Rights Stymie AI?”