We recently talked about getting to grips with international data protection laws. And if you operate in Europe or the US, a big one to be aware of is the Privacy Shield.
For five years, the Privacy Shield has underpinned digital transatlantic trade for more than 5,500 businesses — including the likes of Amazon and Microsoft — which sign up to higher privacy standards before transferring data to the US.
But all of this came to an abrupt end on the 16th of July, when the agreement was struck down by the European Court of Justice (ECJ) — leaving thousands of businesses facing legal uncertainty amidst a potential data trade war.
Why did the ECJ do this?
It’s no secret that the ECJ has long been suspicious of US data standards. And for good reason. Compared to EU countries, the US carries out disproportionate surveillance practices which interfere with the fundamental rights of people whose data has been transferred.
These surveillance laws came to light in 2013 when the Snowden leaks disclosed — amongst many other revelations — that US tech companies were obliged to share their customers’ private data with the National Security Agency under the PRISM programme.
This isn’t the first time the ECJ has killed such an arrangement with the US, either. Some may recall the ECJ overturning the Privacy Shield’s predecessor, Safe Harbour, in 2015 over similar concerns about US surveillance and the lack of privacy rights for EU citizens.
So, what does this mean for businesses?
As of the 16th of July, companies can no longer legally transfer data to the US under the Privacy Shield. Instead, they must carry out stringent privacy audits or risk being smacked with hefty fines under the General Data Protection Regulation (GDPR).
Alternative data transfer mechanisms — such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) in the case of multinationals — do exist to share data with the US. Many big players, such as Microsoft, already use these non-negotiable contracts.
However, SCCs are likely to face closer scrutiny from now on, and data controllers wanting to use them will need to assess whether US law provides adequate protection. If the law in the US could override what the contract says, the SCC won’t work — which could spell trouble for anyone operating in or sending data to the US.
The fall of the Privacy Shield could also cause additional issues for businesses in the UK, which wants unrestricted data transfers with both the EU and the US. But if the EU thinks the UK will just become a backdoor to unprotected US data transfers, things won’t be so simple.
Intense commercial pressure means the US and the EU need to reach a new agreement — quickly. It took nine months to agree a successor to Safe Harbour, but the financial impact of COVID-19 combined with legal uncertainty for businesses trading with the US call for a greater sense of urgency this time around.
Talks have now begun over a possible replacement agreement that could put data sharing between the EU and the US on an equal legal footing. However, reconciling EU privacy and human rights law with US surveillance laws will be a difficult task.
If it’s to survive future legal challenges from the ECJ, any successor to the Privacy Shield will need to offer EU citizens legal rights of redress in the US if they believe their data has been used unlawfully by US law enforcement or intelligence services. Meaning the US may have to seriously reform some of its mass surveillance programmes…
There’s nothing worse than worrying about being on the wrong side of the law. If you’re looking for a PEO in the US, UK or elsewhere in Europe who can help you navigate these new data requirements, get in touch with PEO Worldwide today to find out more about our legal services.