Facebook has warned that it may pull out of Europe following a preliminary order from the Irish data watchdog to ban the sharing of European citizens’ data with the US.
The Dublin court could enforce this year’s landmark ruling by the European court of justice (ECJ) which found that the EU-US Privacy Shield fails to safeguard snooping by US authority. The tech giant’s vow to withdraw from Europe is a warning that the EU and US might be caught in a privacy trade war and that Washington needs a federal data privacy law as soon as possible.
In the background, the end of the Privacy Shield is also likely to affect future data transfers between the EU and UK after the end of the post-Brexit transition period in December.
Data privacy issues had already been raised in Europe
The EU-US Privacy Shield, a scheme approved by the European Commission (EC) in 2016, has been challenged after campaigners argued that the US cannot ensure the privacy of European data, and in July of this year the EU court confirmed just that.
The agreement enables non-EU companies that handle the data of European citizens to meet the requirements of the General Data Protection Regulation (GDPR). It replaces the Safe Harbor Privacy Principles, declared invalid in 2015 by the EU Court of Justice. At that time, Edward Snowden’s leaks provided evidence of the US National Security Agency’s mass surveillance of private data relating to European citizens.
Data transfers must adhere to European standards
Since the court’s ruling, companies have relied on individual legal agreements, known as standard contractual clauses, to transfer data. But even the ECJ stressed that additional safeguards might be needed to make sure that such data transfers adhere to Europe’s data protection standards. Facebook’s warning of stopping its operations in Europe is a way to put pressure on Brussels to introduce a comprehensive legislation rather than leaving it to EU countries’ regulators to make their own rulings.
Companies on both sides of the Atlantic are now calling for more guidance on how they should transfer data to the US.
EU and US have different views on privacy
In the past the EU has made pressure on Washington to adopt a federal law on data privacy similar to GDPR. Brussels would be keen for this to be as closer to GDPR as possible, in order to achieve an adequacy agreement that would allow US and European businesses to freely share the personal information of their citizens. But with the Privacy Shield now defunct, it’s hard to imagine an alternative agreement on data transfer between EU and US that won’t be challenged again by the ECJ, unless the US reforms its surveillance law.
The US and EU appear to be increasingly at odds on the transfer of personal data. While the EU is firmly in favour of privacy protection through GDPR, the US prioritises the right of surveillance by the US state for the sake of national security. If the two cannot come to an agreement, the future of global digital platforms may well be at risk.
Brexit has complicated data privacy in Europe
The need to protect EU citizens from surveillance may restrict data to other countries as well, including to the UK after Brexit, when it will have to seek an agreement from the EU that ensure that its data protection regime is adequate. The UK data watchdog, the Information Commissioner Office, states that “although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet.
Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses”.