US-EU ‘Privacy Shield’ Joint Data Transfer Agreement Struck Down

In a policy move that leaves many international companies scrambling, the European Court of Justice ruled that a data-sharing agreement between European Union member states and the United States fails to properly protect E.U. citizens’ personal data.

In a recent press release, the European Court of Justice struck down a 2016 data-sharing agreement between E.U. member states and the United States, known as Privacy Shield, on the grounds that the agreement does not hold the United States to high enough data privacy standards and gives both U.S. companies and authorities unacceptable access to personal data.  

Moving forward, any data moving from the E.U. to another country will have to clear a specific bar of scrutiny to ensure that data is being handled properly.

The E.U.’s personal data rights are some of the most advanced and stringent in the world. The General Data Protection Regulation (GDPR) and further broad digital protections under the E.U.’s Charter of Fundamental Rights are policy forerunners for personal data legislation. 

The European Court of Justice decision bars all transference of E.U. data to the United States given the lower levels of data protection and security in the U.S. Moving forward, any data moving from the E.U. to another country will have to clear a specific bar of scrutiny to ensure that data is being handled properly

“[The] decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.”

In other words, any time a data transfer is to occur from the E.U. to another country, a series of security checks will need to be carried out. If the recipient country is unable to follow through on those security measures, then the data transfer will have to be suspended.

The court ruling will have major impacts on multinational corporations, especially those in the technology and information sectors. Amazon, Google, Facebook, YouTube, Dropbox, and many other industry leaders will be heavily affected by the invalidation of Privacy Shield. As Secure Digital Solutions (SDS), a cybersecurity consulting company, put it in 2018 when the E.U. first threatened to suspend Privacy Shield — “The [U.S.] enjoys a top ranking among the EU’s trading partners with $1.1 trillion in annual bilateral trade. The threat of suspending or invalidating Privacy Shield creates fresh anxiety for senior executives whose firms rely on the digital and global economy to prosper.”

The road ahead for many international businesses, particularly tech companies that rely heavily on E.U.-U.S. data transfer may be rocky.

Whether the United States will be able to pass a national law enforcing stronger personal data protections is unclear.

The lawyer behind the complaint that led to the Privacy Shield ruling, Austrian data protection activist Max Schrems, was the main force behind the previous E.U. court strike down of Privacy Shield’s predecessor, Safe Harbour, in 2015. 

The road ahead for many international businesses, particularly tech companies that rely heavily on E.U.-U.S. data transfer may be rocky. Sam Curry, Chief Security Officer at cybersecurity company Cybereason, put it this way in a Forbes interview: “Changing (cybersecurity) architecture takes years, and adding it late in the game can and will lead to performance degradation, availability issues, feature limitation[,] and hard-to-prove and hard-to-verify claims. Audits will be especially painful when things get up to full speed.” 

Whether the United States will be able to pass a national law enforcing stronger personal data protections is unclear. While the state of California boasts the strongest state-level data regulation in the 2018 California Consumer Privacy Act (CCPA), a nationwide equivalent doesn’t exist. However, in March of 2020 U.S. Senator Jerry Moran (Republican, Kansas) introduced a Consumer Data Privacy and Security Act (CDPSA), modeled after the E.U.’s GDPR. It remains to be seen whether the CDPSA will find its way through Congress without significant changes but it could potentially usher in a new era for consumer privacy and personal data protection in the United States.

This article was written by Christopher Nelson. Please send an email to cn1168@nyu.edu to get in touch.
Photo Credit
: https://www.europarl.europa.eu/news/en/headlines/world/20190214STO26415/eu-us-trade-talks-the-issues-at-stake

Leave a Reply

Your email address will not be published. Required fields are marked *