On 16 July 2020, the ECJ (European Court of Justice) ruled the EU-US Privacy Shield invalid. It was not the first time this court made a splash on both sides of the Atlantic: The ruling clearly illuminated the fundamentally different perspectives – and priorities – of the European Union and the United States regarding data protection and data privacy. It has caused great uncertainty for many enterprises and presented them with challenges regarding how to handle data going forward. In the long-term, however, this ruling offers European enterprises valuable chances for reassessing data-driven business models and re-imagining them in a way that is compliant with the required protections of personal data. Things may not be so simple for US enterprises seeking trade in Europe.
For many, the ruling of the ECJ (European Court of Justice) came as no surprise. Still, its reverberations echoed through European enterprises: The EU-US Privacy Shield, an agreement regulating the protection of the personal data of European citizens transferred to the United States, was ruled invalid, effective immediately. As with its predecessor, the Safe Harbour Privacy Principles that the court overturned in 2015, it determined that transferred data in the United States was not sufficiently protected in the way current EU law (GDPR) demands. Standard Contractual Clauses, which constitute the foundation on which many enterprises transfer data to the USA, continue to be valid. If, however, it turns out that despite these clauses data protection in the United States (in real and concrete cases) does not take place, this last remaining legal basis will undoubtedly be invalidated as well.
Data is ever-more important, and it is becoming increasingly valuable for a variety of actors. Since data in digital form can be easily stored, processed and transferred, it is a highly sought-after resource, often referred to as "the new gold". In the world today, there are very different approaches when it comes to processing and using data:
for more effective monitoring and control of an entire population
for the pursuit of one’s own geopolitical interests
for the benefit of specific economic interests
with a strong focus on data protection and the rights of individuals
In times of cloud computing and the networking of a wide variety of systems, many European companies send data streams to the United States, where the international market leaders, the so-called "big players", are based.
How has Email & File Protection Service reacted to this? Is there anything in particular you want our customers, partners and users to know?
Mark Forrest: “In one way, everything has changed: For any data transfer to United States, European enterprises must ensure that GDPR standards are being complied with. In another way nothing has changed: Enterprises must comply the way they needed to before. For European companies operating in Europe, we already have a high standard which we meet, and this is encapsulated in the GDPR. Data is one of today’s most valuable assets, entire business models are built on it. Therefore, it greatly matters where this data goes and what happens to it once it is there. Enterprises need a product like Cryptshare to protect their data in transit and make sure it remains safe between senders and its intended recipient and does not fall victim to predators that include data driven businesses, bad actors and governments both legitimate and malign. That is the essence of the Schrems ruling and of the GDPR regulations.”
Safe Harbor Privacy Principles overturned, EU-US Privacy Shield ruled invalid, SCCs jeopardised: Where can future transatlantic legal agreements go from here?
While the situation after the end of the EU-US Privacy Shield is not exactly new, action is required from all parties involved. Politicians must draft a new agreement between the EU and the United States that constitutes a sustainable and resilient basis for all future data transfers to the USA, and this must be done quickly. In order to stand up to the scrutiny of the European Court of Justice any agreement that is reached must ultimately meet the data protection requirements that EU standards demand. Is this within the realm of possibility?
That remains to be seen. In the United States, other factors clearly are given priority, namely their economic interests and their intelligence agencies’ wide-reaching powers to access data, particularly personal data, regardless of its origin or storage location. For this reason, they have so far shown no willingness to make any concessions to European data protection laws should they come at the expense of their national interests. It currently seems that it will be up to Europe to make its own demands for data protection and data privacy a reality, the US seems unwilling to concede ground.
Is there an alternative approach to data protection for Europe?
The bottom line is that this challenge also offers a great opportunity, especially if there is willingness to think strategically and long term. For example, if, from now on, European enterprises shift their business to using European alternatives that do not entail the inherent interdependencies and obligations of US providers. Such projects already exist, for instance with cloud and data networks such as Gaia X. By relying on European providers that comply with GDPR, companies not only fulfil the important prerequisite of legal security thanks to compliance, but they can also effectively promote their own data sovereignty and put themselves back in charge of their most precious asset, their data. They still of course need to protect it (encrypt) in transit as the very architecture of the networks mean that much data in transit passes through staging points in the US.
In addition, big players in data storage and processing, who benefit from that data’s value, would then be located in Europe: This would not only lead to thepersonal data of EU citizens being handled in a DSGVO-compliant manner, but would also provide European countries with more opportunity for tax revenue on EU profits. Successfully building and establishing European counterparts to the dominant US players would certainly be an ambitious and long-term undertaking – but will there ever be a better time to try?