By Robert Bateman
The world of digital privacy was shaken this month, when the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, which allows certain businesses to freely transfer personal information from the E.U. to the U.S.
The E.U. court ruled July 16 in Luxembourg that U.S. surveillance laws violated the privacy of European citizens. International data transfers to the U.S. can still take place, however, subject to standard contractual clauses to protect personal information, written by the European Commission.
Experts on both sides of the Atlantic told Digital Privacy News that the U.K., which has similarly intrusive surveillance laws to the United States, could be disproportionately affected by the decision.
“The CJEU ruling is ultimately about American exceptionalism,” said Heather Burns, a tech policy specialist in Glasgow, Scotland.
“The U.S. remains a staunch outlier, among Western systems, in refusing to enact a federal-level privacy law that protects privacy as a fundamental human right,” she said.
How It Works
The E.U. places strict rules on how businesses transfer personal information to third parties based outside of the bloc.
“The CJEU ruling is ultimately about American exceptionalism.”Heather Burns, a tech policy specialist, Scotland.
By opting into the Privacy Shield framework, U.S. companies could certify that their data-protection standards were “adequate” in the eyes of E.U. authorities. This made it easier for U.S. and E.U. companies to do business together.
Now that the Privacy Shield has been invalidated, U.S. and E.U. companies will have to resort to more burdensome methods of sharing personal information, such as agreeing to be bound by “standard contractual clauses” approved by the European Commission.
The Privacy Shield decision could also have highly significant implications for the U.K.
According to Burns, the ruling represented “a preview of what could lie ahead for a country that also views itself as rather exceptional” and that had “a disproportionate surveillance apparatus of its own.”
The Brexit Effect
The United Kingdom will fully transition out of the European Union next Jan. 1, at which point the country plans to seek an “adequacy agreement” with the E.U.
The agreement functions similarly to the now-defunct Privacy Shield — and it would allow U.K. and E.U. businesses to continue sharing data freely.
But the U.K.’s surveillance laws previously have been condemned by the E.U. courts, and Burns said the Privacy Shield decision was further proof that the U.K. would struggle to obtain such an agreement.
“(Obtaining an adequacy agreement) simply won’t be possible if the U.K. continues to pattern itself on the U.S. surveillance model,” Burns told Digital Privacy News.
Failing to reach an agreement on data transfers with the E.U. could be damaging for U.K. businesses.
“Ultimately, it’s the digital sector and (small-medium-sized enterprises), who can’t afford a specialist international legal team in the middle of a pandemic, who will pay the price,” Burns said.
Sector’s Value: $189 Billion
The U.K.’s digital sector is worth 7.7% of the country’s economy, around $189 billion per year, according to government figures.
Across the Atlantic, Joseph Jerome, a privacy and cybersecurity attorney in Washington, said he was unsurprised by the E.U. court’s decision.
“Privacy Shield did not address fundamental questions around U.S. surveillance,” Jerome told Digital Privacy News.
“Absent an accord that goes beyond the sort of handshake agreement that was Privacy Shield, the legal endgame here is serious restrictions on all transfers of data into the U.S.”
Asked about implications for the U.S. economy, Jerome was reluctant to place a “dollar value” on the invalidation of Privacy Shield.
“Privacy Shield did not address fundamental questions around U.S. surveillance.”Joseph Jerome, privacy and cybersecurity attorney, Washington.
He claimed that it could force U.S. companies to localize their data storage, rather than relying on third-party cloud storage companies, or to invest in E.U.-based cloud solutions.
Like Burns, however, Jerome sees implications for the U.K.’s adequacy agreement application with the E.U.
“There is obviously pressure to ensure the U.K. remains relatively integrated with the E.U.,” he said. “It will be very interesting to see how the European Commission will deem the U.K. adequate or not.”
While it is “hard to guess” whether an adequacy agreement is realistic, the U.K.’s laws on the government interception of data could prevent this.
“The U.K. has a close relationship with the U.S.,” Jerome said. “There’s obviously a reckoning that needs to be had on the countries’ surveillance authorities.”
Robert Bateman is a writer in Brighton, U.K.
Sources (external links):
- Court of Justice of the European Union: The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shie
- UK Government: Digital sector worth more than £400 million a day to UK economy