Today’s Court of Justice ruling invalidating the EU-US Data Protection Shield it is of paramount importance in the relationships between EU and US and will have a strong impact on transatlantic businesses, particularly in the field of data driven businesses. In nuts, under this new scenario, it will no longer simply be assumed that US tech companies, such as Facebook, Google or Amazon for instance, will adequately protect the privacy of its European users’ data when they send it to the US. Such transfer will become more complicated and it may require operators to reorganize the facilities through which their customers’ data are stored and managed.
The impact on business
The impact of the ruling and the subsequent need for industrial reorganization will not be the same for operators or even on products/services amongst the same operator.
As said, the annulment decision makes more complicate, risky and uncertain the flow of personal data from EU to US. However, this event does not come totally unexpected because the possibility that the Privacy Shield could be annulled (like the previous Safe Harbour Regime) was a foreseeable outcome. Therefore, since few years US platforms had already started to adapt their business models in light of future restrictions to transfer of data to US.
Fact is, various US operators are already offering in Europe EU-based services, that is to say digital services (cloud for instance) managed via servers located in the EU. Amazon and Google seem to be front-runner in this strategy, which is mostly destined to business customers and public administrations for which the localization of their data within the EU may be an essential part of the contractual arrangements. Many US operators are expected to follow the same path for the B2B sector, with the result that data centers business in the EU should probably raise.
Things will be different for operators which are still offering digital services and managing data through facilities located in the US. This is mostly about consumers oriented services, mostly services focusing on profiling and advertising (social networks) and commercialised in free or “freemium” model . For these kind of operators and business, the Privacy Shield annulment may have an impact, since the transfer of data to US for various treatment scopes (such as profiling ecc) wil, become more complicated (but not impossible, as will seen below). This is probably the case of Facebook.
Of course, the impact of the Privacy Shield decision may be different amongst the services of the same operator. Take for instance the case of Google: while cloud B2B services based on EU facilities may not not be impacted, an issue of data transfer may arise for other services which are provided to collect data such as services such as Search, Gmail, Google Docs ecc. In other words, services of the same operator may be impacted differently depending on the location they are stored.
To sum up, the impact on the industry will be the following: US operators will be induced to localize their data centers in EU, unless they find a strong and certain legal ground to transfer the data to US. European companies that are outsourcing the treatment of data to US providers will have to reconsider their plans. The final winner seems to be, for the time being, the European data centers sector.
The impact on users
Apparently, the ECJ decision will not have direct and immediate effects perceptible by users, at least in the short term, because the main effects will be on the industry, and will entail, as we have seen, a tendency to open data centers mainly in Europe, rather than transferring data of Europeans in the USA.
However, this trend towards the European localization of data centers will indirectly benefit users, because it will increase the empowerment of European citizens whenever there are disputes regarding their data: they will be able to benefit from a European court as well as the help of European consumer associations. This may occur in various hypotheses such as disputes about the use of data, cancellation requests, data breach cases that put passwords, credit cards and addresses at risk. European citizens will therefore be better protected, because they will know who to go to defend themselves and by whom to be protected: that is, by someone in their country or in any case in Europe, and not in the USA.
According to the ECJ’s ruling national DPAs have a duty to take action and resist against political pressure, as has happened repeatedly already. Just looking away is not a solution. Fact is, in various German regions (Lander) local DPAs have already concluded that the use of Microsoft Office 365 in schools may be illegal as well as the use of foreign-hosted chat and video communication services. The Swedish and Dutch have come to the same conclusion repeatedly. Probably, also SAAS services such as MailChimp, Zoho, Dropbox and Zoom ar at risk.
Summary of main points of the judgment:
- The Court invalidated the European Commission’s Decision on the Privacy Shield (2016/1250), arguing that the surveillance laws of the US do not allow for US protections of privacy to be deemed ‘equivalent’ to those offered by the EU’s GDPR.
- Although the Court did not invalidate the European Commission’s Decision 2010/87 on the standard contractual clauses (SCCs), it argued that any data transfer involving SCCs must individually evaluate also the legal system of the third country (besides the contractual clauses agreed). Given the previous point on US surveillance rules, this could effectively block EU-US transfers using SCCs as well. Of course, many cases of data transfers will remain valid, such as:
- cases where users want their data to flow abroad (based on informed consent that can be withdrawn at any time);
- data flows for what is necessary to fulfill a contract;
- other ‘necessary’ data flows under Article 49 of the GDPR.
- On the discretion of national Data Protection Authorities (DPAs) to act once they receive a complaint, the ECJ ruled that, unless there is a valid Commission adequacy decision, DPAs are required to suspend or prohibit a transfer of personal data to a third country if they believe the protection of the data cannot be ensured at the country of destination. DPAs previously argued that the decision whether to act on such complaints and is up to them.