The rules that facilitate much of the digital commerce between the EU and US have been thrown into a state of flux in recent weeks. Last month, the Court of Justice of the European Union (CJEU) passed a landmark judgement to invalidate the Privacy Shield, a framework governing the flow of EU citizens’ personal data into US companies. Then, just last week, Austrian privacy advocate Max Schrems, who brought the initial case to the CJEU, filed fresh complaints against 101 companies that he alleges are failing to provide adequate protection to the data of EU citizens, in spite of the CJEU’s landmark judgement.
What does all this mean in practice? The Privacy Shield allowed US companies to self-certify that they would adhere to loftier data principles than those required of them at home, allowing for the transfer of personal data from the EU to the US. More than 5,000 organizations relied on the arrangement, and the freedom to move data between markets that it gave them has been critical to businesses’ ability to sell physical and digital goods and services to customers in Europe: activities that make up a large part of the $7 trillion in transatlantic trade conducted annually. The CJEU’s initial decision left businesses in the US and the EU in a precarious position and cast doubt over their ability to trade seamlessly.
A turning point?
The CJEU’s move to invalidate the Privacy Shield has not, yet, meant that businesses are prohibited from moving EU data to the US. For the moment at least, businesses can rely on what are known as the Standard Contractual Clauses (SCCs) as a valid means of transfer (and in some instances, Binding Corporate Rules, although these are less common). These are a special set of terms designed to guarantee data privacy standards. SCCs are common, so many businesses have been able to continue as they had before.
However, the complaints that Schrems filed last week seek to remove this option for businesses. The complaints against 101 companies, including the likes of Airbnb and the Huffington Post, argue that SCCs do not provide adequate protection for EU personal data because US companies fall under US surveillance laws.
The 2013 Snowden leaks illustrated the extent to which US security agencies had been making use of personal data stored by companies. The ECJ determined that the Privacy Shield was an inadequate mechanism to protect data on EU residents from US surveillance programs — and Schrems argues that SCCs are no better.
With significant reform to US surveillance law unlikely in the near future, companies are being left in an awkward predicament. It is suddenly becoming less viable to rely on SCCs to move data, and businesses are supposed to carry out a comprehensive analysis of local laws and, if necessary, use supplementary measures to protect personal information. We await further guidance from the key regulatory and political stakeholders in this regard.
A patchwork agreement for a Privacy Shield replacement could follow, but there is a real possibility that we could reach a point where data can no longer move freely from the EU to the US. This could lead to a requirement that all data on EU citizens is stored within the EU. This could dramatically limit US providers’ ability to access and process this data and the range of digital services available to EU citizens.
A key issue in Brexit negotiations
The ECJ’s decision on the Privacy Shield may also have a big impact on Brexit, with just a few months remaining for the UK and EU to ratify the terms of a post-Brexit trade deal. Sadly, the issues of data rights and privacy frameworks have not been a major talking point in negotiations thus far, with hot button political issues such as fishing rights seemingly taking priority — despite the huge economic impact that a failure to reach an agreement on data flows would bring. Whatever the outcome, the EU will need to make a decision on the UK’s “data adequacy,” meaning the extent to which UK law protects personal data in comparison with the EU’s own General Data Protection Regulation (GDPR).
The ECJ’s decision on the Privacy Shield was an indication of the level of scrutiny the EU will employ in assessing the UK. In the meantime, the UK needs to decide whether to align itself more with the EU or the US. Will it make it more difficult for companies to export data from the UK, as the EU has? Or will it favour a closer relationship with the US and risk facing the same kind of regulatory uncertainty that the US is now experiencing?
This decision will have a huge impact on the way British businesses operate internationally and how international businesses operate in the UK. If a data adequacy agreement is not reached, the system that allows the free flow of personal data between the EU and the UK could be uprooted. And if one is reached, it could have an impact on a possible free trade deal between the UK and US.
Reacting in the face of uncertainty
So, whether you’re a UK business facing the unpredictability of the Brexit negotiations, or a US company worrying about the future of data flows from the EU, what can you do now to prepare for the changes that are coming? As always, it starts by getting the basics in place. Here are four steps any organization can take to ensure they can adapt quickly and effectively to any regulatory outcome:
- Understand how you use data: If they are to react quickly, businesses have to know exactly what data they are using, where it came from, and how it is moving through their organization. This should be a continual undertaking, but right now too many companies don’t have a clear understanding of these issues.
- Think long-term: With so much uncertainty, businesses must factor in potential data compliance requirements into their growth strategies. The privacy regime operating in each region must be a key consideration for any business planning to expand into new markets. Carefully evaluate data regulations when considering where to invest for growth and budget accordingly so you know that you’ll be able to comply with all local regulations.
- Stay agile: Wherever they are headquartered, it is critical that startups and digital businesses are monitoring developments in the EU-US and the EU-UK negotiations. Progress won’t be steady: nothing could change for a while, and then it will all move very quickly. Make sure someone in the organization is responsible for keeping a close eye on the latest news and flagging anything important.
- Communicate! Consumers are increasingly aware of how their data is being handled by businesses. Transparency is therefore crucial to building and maintaining trusted relationships. Be proactive about keeping customers informed about your policies and day-to-day operations. You should consider publishing your law enforcement guidelines and transparency reports to make it clear how your organization interacts with data requests from government agencies.
Mark Kahn is General Counsel at customer data platform Segment.