By Anna Bosch and Matt Schwartz
On July 16, 2020, the European Court of Justice (ECJ) struck down the EU-U.S. Privacy Shield agreement, which provided a stable, streamlined, and inexpensive mechanism for the transatlantic flow of data between the two regions. The court cited concerns with U.S. surveillance law, which it interpreted as unacceptably degrading European data subjects’ rights under the General Data Protection Regulation (GDPR) when that data entered U.S. borders. The decision will negatively affect international trade and the transatlantic data economy.
The ruling comes as a significant blow to our members who do business globally. As we pointed out in our statement on the decision, small and medium-sized enterprises (SMEs) comprise 70 percent of the companies using Privacy Shield. Now those businesses, including many of our members, must turn to costlier, legally-uncertain standard contractual clauses (SCCs) or other methods to effectuate the transatlantic data flows that underpin the functioning internet. We thus urge the European Union (EU) and the U.S. government to negotiate a successor to the Privacy Shield as quickly as possible to restore legal certainty for all businesses who use cross-border data transfers. During this time, it will be essential that the EU and United States ensure that data transfers can continue during negotiations of any new agreement.
Until then, unfortunately, there is little U.S.-based SMEs can individually do to assuage ECJ given the broader context of U.S. privacy and surveillance law, other than signing SCCs. While those businesses may, and often do, go beyond current U.S. law to comply with GDPR and respect the rights of European data subjects, they remain subject to lawful access requests by U.S. law enforcement and national security agencies that the court view as problematic. Thus, through no fault of their own, small businesses are now at risk for having international data flows interrupted through decisions like the one handed down by ECJ. Faced with no viable alternative, many companies may decide to suspend data transfers to avoid violating GDPR requirements until conditions change.
The U.S. Department of Commerce stated that for now, it will still administer the Privacy Shield and that obligations would continue to apply to those who are registered participants in the program – however, the ECJ’s ruling means that those businesses are no longer legally able to transfer data across the Atlantic. There will be an allowance for companies that process user data as a “necessary” step to fulfill their contracts. Nonetheless, most businesses are now scrambling for a legal solution to this issue they did not anticipate needing to revisit. SCCs do not provide an immediate alternative and cannot replace the essential tool that the Privacy Shield became under law. To make use of SCCs, businesses will have to prove to EU privacy regulators that their customer data is not subject to U.S. surveillance laws, which may prove to be an uphill battle.
Smart reforms to U.S. privacy and surveillance rules would go a long way toward providing a long-term and reliable solution to the international data sharing predicament. That is part of the reason why the App Association advocates for a comprehensive federal privacy law. A strong federal privacy law that provides protection and legal certainty across all 50 states would help reassure our international trading partners that the country takes privacy seriously and could help reopen good-faith avenues of negotiation on a new agreement now that the Privacy Shield no longer exists.
Yesterday’s ruling also highlights the short-sightedness of recent agitation by some members of Congress to eliminate end-to-end encryption, such as through the Lawful Access to Encrypted Data Act or the EARN IT Act. If existing U.S. surveillance law already places the nation on shaky ground to proceed with international data sharing agreements, undermining encryption to allow even more pervasive snooping of otherwise secure content and communications only degrades the situation further. Abandoning end-to-end encryption likely forecloses opportunities to renegotiate a new version of Privacy Shield and virtually guarantees the continuation of data reshoring trends more broadly. Like a federal privacy law, strong encryption can serve as a bulwark against harmful decisions like the one reached yesterday.
The App Association will continue to monitor fallout from the ECJ’s decision and to advocate for domestic policies that put U.S. businesses in the best possible position to regain legal certainty on transatlantic data sharing agreements.