“Trans-Atlantic commercial arrangement is worth 7.17 trillion dollars.”

                                      —-Wilbur Ross, U.S. Secretary of Commerce.

Why did the European Court’s High Court dismantle a trillion-dollar economic arrangement between the European Union and the United States?  In response, what can affected United States (US) companies do?

Background

In 2013 due to the Edward Snowden revelations about the U.S mass surveillance activities, Max Schrems, NOYB, filed a privacy complaint with the Irish Data Protection Commissioner.  He successfully argued U.S. companies were violating European Union (EU) data protection laws.  In response, the U.S. Government and thousands of U.S companies entered into the self-certifying Privacy Shield Framework to continue data transfers from (EU) members and countries.

In July 2020, due to additional privacy complaints, this 2016 Safe Harbor agreement was struck down by the (EU’s) Court of Justice. Reasons: the 2018 enactment of the General Data Protection Regulation (GDPR) and continued U.S. national security surveillance requests and techniques.  This Court reasoned these cross-border transfers were subject to surveillance requests and techniques that did not afford their citizens adequate safeguards and enforceable legal rights.  For a more in-depth discussion of GDPR see our research blog post — GDPR and CCPA.

This ruling sends a message to the U.S Government to either change its surveillance methods and practices currently allowed under Section 702 of the FISA Act or force U.S. companies to change their current data practices or forfeit commerce. It is doubtful that the US will ever become as restrictive as the (EU) on regulation of personal privacy, even as states put in place more stringent rules.

Who is affected?

The Court’s ruling focuses on companies that transfer and use personal data types beyond the original narrow purpose for which it was collected under GDPR’s purpose limitation principle.  This suggests two things:

    1. Daily Trans-Atlantic transactions, such as, online retailing are not part of this ruling
    2. Companies that use business communications, emails, financial data and even social media posts internally beyond original purpose are affected by this ruling.

What can affected companies do now?

The Computer and Communications Industry Association, which represents many of the Big Tech companies affected, stated, “this court decision creates legal uncertainty for thousands of large and small companies that rely upon Privacy Shield for their daily commercial data transfers.”

The failure of Privacy Shield’s Safe Harbor does not mean data transfers have to stop. What it does mean is that (EU) regulators are likely to demand more oversight.

Options exist to both alleviate uncertainty and comply with EU rules.

To continue to facilitate cross-border transfers, re-negotiate Standard Contractual Clauses (SCC) between data controllers to demonstrate compliance with GDPR’s Binding Corporate Rules (BCRs). Article 47 of GDPR allows international companies to transfer personal data beyond the borders of the European Economic Area (EEA).   The procedures for obtaining approval for such transfers are set forth in Article 63 of the GDPR.  For more on BCR under GDPR,  see  BCRs and Data Protection Procedures.

SCC and BCR Frameworks can be expensive for small and medium-sized companies to establish and monitor and B2B data transfers are prohibited. In response, some companies may start with temporary or stopgap measures, such as, transferring data to other nations, switching to front end processors or servers physically located within the (EU). More permanent measures may include implementing data management procedures to more narrowly use personal data, by deploying E2EE (end-to-encryption) schemes or randomly switching servers to better obscure data’s path to improve anonymity.

Finally, companies should simultaneously lobby representatives of the U.S Government for changes to narrow the scope of Section 702 of the 2008 FISA Amendments for “upstreaming of data collected.”  Admittedly this is a longer-term effort hampered by political and security hurdles. Particularly, due to the complexity contained in various legislative enactments, such as Foreign Intelligence Surveillance (FISA), Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) and Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring (USA Freedom Act).

 

U.S. State Department Press Release:  https://www.state.gov/european-court-of-justice-invalidates-eu-u-s-privacy-shield/

 

What Do You Think?

Author Disclosure

I am the author of this article and it expresses my own opinions. I have no vested interest in any of the products, firms or institutions mentioned in this post. Nor does the Analyst Syndicate. This is not a sponsored post.