You might have recently seen that the European Court of Justice (ECJ) put an end to a digital trade agreement involving the transfer of EU data to the United States. This move was due to surveillance fears and concerns over the lack of privacy standards that currently operate within the US. Judges expressed that the Privacy Shield agreement did not protect the data of EU citizens adequately from US surveillance in the same way EU law demands.
Over the course of the past two decades, data has been flowing freely between the EU and US, which has been fruitful for those on both sides of the Atlantic and previously had the backing of the European Commission. However, the ECJ ruling to invalidate the EU-US Privacy Shield agreement has put all digital trade of data in jeopardy and left over 5,300 US-based companies unsure of how to proceed.
The court stated:
“The limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by US public authorities of such data transferred from the European Union... are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”
Data privacy and security of EU citizens is of paramount importance and hence the reason for the formation of the European General Data Protection Regulation (GDPR) - it protects the data rights of European citizens but extends to any organisation that collects, stores, or uses EU citizen data. So, with the ECJ raising this serious concern, it is a promising start to demanding further reforms in how data is distributed.
Impact on businesses
What does this mean for the thousands of organisations that depend on this data?
At this stage, the main alternative for enterprises wishing to transfer data to the US is to use Standard Contractual Clauses (SCCs), which are non-negotiable legal contracts drawn up by Europe, and are used in other countries besides the US. These have been used frequently, and following the ruling, Microsoft released a statement that the company uses SCCs.
But the impact of data-sharing agreements is far-reaching and deep rooted, affecting not just social media companies, but banks, law firms and many other types of companies. With Privacy Shield now defunct, it will be interesting to see how US and EU regulators form a plan to create a workable data-sharing framework or mechanism.