On 16 July 2020, the ECJ (European Court of Justice) ruled the EU-US Privacy Shield invalid. It was not the first time this court made a splash on both sides of the Atlantic: The ruling clearly illuminated the fundamentally different perspectives – and priorities – of the European Union and the United States regarding data protection and data privacy. It has caused great uncertainty for many enterprises and presented them with challenges regarding how to handle data going forward. In the long-term, however, this ruling offers European enterprises valuable chances for reassessing data-driven business models and re-imagining them in a way that is compliant with the required protections of personal data. Things may not be so simple for US enterprises seeking trade in Europe.
European Court of Justice overturns EU-US Privacy Shield, reaffirming the protection and value of personal data
For many, the ruling of the ECJ (European Court of Justice) came as no surprise. Still, its reverberations echoed through European enterprises: The EU-US Privacy Shield, an agreement regulating the protection of the personal data of European citizens transferred to the United States, was ruled invalid, effective immediately. As with its predecessor, the Safe Harbour Privacy Principles that the court overturned in 2015, it determined that transferred data in the United States was not sufficiently protected in the way current EU law (GDPR) demands. Standard Contractual Clauses, which constitute the foundation on which many enterprises transfer data to the USA, continue to be valid. If, however, it turns out that despite these clauses data protection in the United States (in real and concrete cases) does not take place, this last remaining legal basis will undoubtedly be invalidated as well.
Indispensable for European companies' data transfers to the US: Standard Contractual Clauses.
Data is ever-more important, and it is becoming increasingly valuable for a variety of actors. Since data in digital form can be easily stored, processed and transferred, it is a highly sought-after resource, often referred to as "the new gold". In the world today, there are very different approaches when it comes to processing and using data:
- for more effective monitoring and control of an entire population
- for the pursuit of one’s own geopolitical interests
- for the benefit of specific economic interests
- with a strong focus on data protection and the rights of individuals
In times of cloud computing and the networking of a wide variety of systems, many European companies send data streams to the United States, where the international market leaders, the so-called "big players", are based.
Dominating the cloud market worldwide: US service providers.
With the ECJ’s ruling, there are a large number of enterprises that feel the urgency to act now.
Cryptshare CEO Mark Forrest gives his insights as an entrepreneur and veteran in the IT business
What are the key takeaways from this ruling by the European Court of Justice?
Mark Forrest: “It is important to understand that this ruling did not take place in a vacuum. We are looking at 20 years of legislation: From the Safe Harbour Privacy Principles to the EU-US Privacy Shield, the practice of self-certification had enabled companies to basically tick a box and say ‘Yes, we comply’ with data protection laws. They did not have to prove their compliance, rather their non-compliance had to be proven. This practice has now been ruled invalid once again: The Privacy Shield was struck down by the European Court of Justice this year in July, the same happened to Safe Harbour, its predecessor, back in 2015.
European legislation demands that privacy requires specific top priority guidelines. In the United States other factors are in the foreground: National security takes precedence over data protection concerns, meaning privacy gets put aside, or at least is diminished as a consideration. With this ruling, there are penalties in place that can be pretty large for companies that breach the EU requirements and the case against Facebook has been re-opened.
The United States’ have a strong national agenda; their economic interests and national security concerns don’t necessarily align with European laws for data protection. The question now is how the United States will respond to this ruling. It will be interesting to see what follows if US companies are fined for violations of the GDPR, or if US intelligence agencies are meaningfully restricted in their access to the personal data of European citizens. Certainly, we should expect quite some debate back and forth, national security is a two-way street, data driven business with high economic value is more biased to US interests.”
What are the implications for European enterprises?
Mark Forrest: “A lot of enterprises will look at this and think ‘There is nothing we can do’. Most of them use tools provided by third parties from outside the enterprise. With the expertise not sitting in-house, there is a high dependency. In today’s world, there is no going back from using office tools, databases, analytics tool, integrations…it is not only cloud service providers offering these. The reality is that the biggest players are in the United States; in Europe, we have fewer data-driven businesses and many promising EU based technologies and start-ups have been acquired in their early days.
High dependency in the public cloud: The three biggest US providers alone constitute over three quarters of sales worldwide.
If you take all those tools away because US companies don’t meet the required standards of GDPR in their current way of working, many companies here can’t function well.
At the same time, European enterprises need to be on their guard. They are required to comply with all data protection laws, so they need to identify any areas where they don’t and act accordingly. If they fail to do so, they risk getting dragged into a maelstrom of fines, because European businesses will be punished as well if they violate data protection laws. The potential financial consequences of this ruling are huge. In our experience most are well aware of this and are seeking guidance as the ripples spread.”
What can enterprises do in concrete terms?
Mark Forrest: “This ECJ ruling was effective immediately. Data protection authorities have indicated they would not grant a period of grace, so it is important for enterprises to act now and mitigate the potential risks this ruling opens them up to. The clock is ticking. European companies operating mainly in Europe already have a high standard to meet, namely the GDPR. Where they run into trouble is when they employ the services of companies that don’t comply. European enterprises need to divert the risks that suppliers can cause for them and require their compliance with any applicable EU data protection laws. And, of course, enterprises must follow the advice and guidelines from data protection authorities. Eventually, there will be a new agreement to ratchet up the pressure on the US to change priority, and it may well provide more legal certainty for businesses; but until then businesses must ensure their compliance with the legal reality of this ruling today.”
How has Cryptshare reacted to this? Is there anything in particular you want our customers, partners and users to know?
Mark Forrest: “In one way, everything has changed: For any data transfer to United States, European enterprises must ensure that GDPR standards are being complied with. In another way nothing has changed: Enterprises must comply the way they needed to before. For European companies operating in Europe, we already have a high standard which we meet, and this is encapsulated in the GDPR. Data is one of today’s most valuable assets, entire business models are built on it. Therefore, it greatly matters where this data goes and what happens to it once it is there. Enterprises need a product like Cryptshare to protect their data in transit and make sure it remains safe between senders and its intended recipient and does not fall victim to predators that include data driven businesses, bad actors and governments both legitimate and malign. That is the essence of the Schrems ruling and of the GDPR regulations.”
Safe Harbor Privacy Principles overturned, EU-US Privacy Shield ruled invalid, SCCs jeopardised: Where can future transatlantic legal agreements go from here?
While the situation after the end of the EU-US Privacy Shield is not exactly new, action is required from all parties involved. Politicians must draft a new agreement between the EU and the United States that constitutes a sustainable and resilient basis for all future data transfers to the USA, and this must be done quickly. In order to stand up to the scrutiny of the European Court of Justice any agreement that is reached must ultimately meet the data protection requirements that EU standards demand. Is this within the realm of possibility?
That remains to be seen. In the United States, other factors clearly are given priority, namely their economic interests and their intelligence agencies’ wide-reaching powers to access data, particularly personal data, regardless of its origin or storage location. For this reason, they have so far shown no willingness to make any concessions to European data protection laws should they come at the expense of their national interests. It currently seems that it will be up to Europe to make its own demands for data protection and data privacy a reality, the US seems unwilling to concede ground.
Is there an alternative approach to data protection for Europe?
The bottom line is that this challenge also offers a great opportunity, especially if there is willingness to think strategically and long term. For example, if, from now on, European enterprises shift their business to using European alternatives that do not entail the inherent interdependencies and obligations of US providers. Such projects already exist, for instance with cloud and data networks such as Gaia X. By relying on European providers that comply with GDPR, companies not only fulfil the important prerequisite of legal security thanks to compliance, but they can also effectively promote their own data sovereignty and put themselves back in charge of their most precious asset, their data. They still of course need to protect it (encrypt) in transit as the very architecture of the networks mean that much data in transit passes through staging points in the US.
Cloud computing: not only a profitable business, but also a generator for tax revenue
In addition, big players in data storage and processing, who benefit from that data’s value, would then be located in Europe: This would not only lead to the personal data of EU citizens being handled in a DSGVO-compliant manner, but would also provide European countries with more opportunity for tax revenue on EU profits. Successfully building and establishing European counterparts to the dominant US players would certainly be an ambitious and long-term undertaking – but will there ever be a better time to try?