U.S. companies may need to brace for tougher restrictions on importing data from the European Union after the bloc’s top court rules next week on two legal mechanisms most use to ship the information.
The restrictions “will be confirmed, and probably strengthened” in the EU Court of Justice’s decision, said Eduardo Ustaran, global co-head of Hogan Lovells’ privacy and cybersecurity practice. He cautioned, however, that “we don’t know the precise position the court will take.”
At stake is the transatlantic data market—worth hundreds of billions of dollars —that lets companies such as Alphabet Inc.'s Google, Facebook Inc., and Amazon.com Inc. use U.S.-based facilities to serve European customers. European regulators want to ensure the mechanisms governing data transfers protect Europeans’ privacy as stringently outside of the bloc as within.
Most companies use one of two mechanisms to transfer the data. One is standard contractual clauses—agreements between data controllers that the European Commission has deemed to have sufficient safeguards. The other is the EU-U.S. Privacy Shield, a 2016 pact between the governments.
It would be a “doomsday scenario” if the court invalidates both mechanisms, Helen Dixon, Ireland’s privacy commissioner, who is also a party to the case, said. Companies “should be ready” for the invalidation of either pact and be looking to other data-transfer options, she said.
Privacy advocates have challenged both mechanisms as lacking consumer protections required by Europe’s comprehensive 2018 privacy law, the General Data Protection Regulation. The challenge has worked its way to the Court of Justice for the European Union, which on July 16 may invalidate both mechanisms, let one stand but not the other, or keep them both.
Uncertainty surrounding the decision has forced companies to prepare for multiple scenarios to ensure they can keep data flowing.
Invalidating either pact would create “significant disruptions” to the cross-border data market, said Thomas Boue, director of Europe, Middle East, and Africa policy at BSA | The Software Alliance, which counts Microsoft Corp., Oracle Corp., and Okta Inc. among its members. “If you can’t move HR data, how can you do payroll?”
EU service exports to the U.S. may fall by almost $50 billion a year if the court invalidates both mechanisms, Bloomberg Intelligence analyst Tamlin Bason said in a report last year. He valued the trans-Atlantic data market at $260 billion.
Invalidation would “seriously chill the ability for companies to share data with confidence,” said Robert Strayer, the State Department’s deputy assistant secretary for cyber and international communications and information policy.
Even if the court upholds both transfer mechanisms, its decision may set up further challenges to cross-border data regimes, said Caitlin Fennessy, former Privacy Shield director at the U.S. Commerce Department. The pact, and contractual clauses, have been “plagued by uncertainty since their inception,” she said.
The decision the Court of Justice will make stems from a long-running dispute involving Austrian privacy activist Max Schrems, the Irish data protection office, and Facebook’s operation in Ireland.
Schrems claimed in 2014 that Facebook helped the U.S. National Security Agency conduct mass surveillance of EU citizens. He also alleged there were insufficient privacy protections for the citizens’ data sent to the U.S.
The first round of his case, called Schrems I, resulted in the Court of Justice in 2015 invalidating a 15-year-old agreement that governed EU-U.S. data transfers. It was that agreement, called Safe Harbor, that Privacy Shield replaced.
The second round of the case, Schrems II, gained steam in October 2017. That’s when the High Court of Ireland referred multiple questions to the Court of Justice as to how multinationals in the EU transfer data to the U.S.
The referral led to the Court of Justice’s upcoming decision on both mechanisms—the contractual clauses and Privacy Shield.
Last December, in a non-binding opinion, the Court of Justice’s advocate general found the clauses and the Privacy Shield are valid. However, the official criticized a lack of U.S. legal remedies for EU citizens and wide-reaching U.S. surveillance powers. The criticisms led to the possibility that the court will invalidate both mechanisms.
If that happens, EU and U.S. officials have discussed what comes next.
The Trump administration has done “internal planning” for the possible overturning of the clauses or the Privacy Shield, Strayer said. The U.S. has also discussed possible results of Schrems II with the European Commission, he said.
Strayer pointed to U.S. legislative and executive actions that give Europeans data protections. The U.S. has enacted the Judicial Redress Act to let EU citizens sue in American courts for data violations and Presidential Policy Directive 28 provides transparency around intelligence activities, he said.
The U.S. is “really providing EU citizens world-leading protections for their data,” Strayer said.
Companies that now transfer data under the clauses or the Privacy Shield will need to switch to a new framework if one or both of the mechanisms are invalidated. The switch will need to continue at least until U.S. and European officials negotiate replacements.
It will be important for companies “to be able to transition from one mechanism to another as seamlessly as possible,” Ustaran said. “Those who consider now how to do that are bound to be in a much better situation.”
Companies will look at using regimes such as binding corporate rules and necessity to fulfill a contract, said Fennessy, research director at the International Association of Privacy Professionals. However, she said binding corporate rules wouldn’t be a good choice.
Binding corporate rules dictate how companies protect data in transfers and include legal ramifications if they fail to do so. However, the process of getting such rules approved can be cumbersome and costly, ruling out the option for many businesses that don’t already have such procedures in place.
For now, even the most-prepared companies are hoping the Court of Justice leaves both transfer regimes in place. Such a decision would follow the advocate general’s opinion that both mechanisms provide ample data protections—even if there are concerns with U.S. surveillance powers.
Software vendor Workday Inc. was “proud to sign up to Privacy Shield the day it went live,” said Barbara Cosgrove, the company’s chief privacy officer. Workday will help U.S. and EU officials create a new arrangement if the court invalidates the Privacy Shield or clauses, she said.