Europe must not trust US with data protection
July 16, 2020Despite what certain activists had predicted, the European Court of Justice's decision that Privacy Shield is invalid, will not spell the end of the transfer of data in the international business arena and certainly not the end of the Internet.
The Luxembourg-based court ruled that a 2016 trans-Atlantic deal known as Privacy Shield, which allows some 5,000 companies to move data between the US and the European Union (EU) violated European privacy rights.
However, it also said that Standard Contractual Clauses examined by the EU would continue to permit the transfer of personal data to companies outside of Europe.
Violation of privacy rights
The case goes back to the Austrian lawyer and privacy activist Max Schrems who had filed a complaint saying that Facebook had violated his privacy rights when his data was transferred to the US.
By ruling that the deal was invalid because US security and intelligence agencies could still access data stored by Facebook, Twitter, Google, Apple, Microsoft and other companies, the court issued a strong reprimand to the European Commission and the US. It said that the data of EU citizens was endangered and ruled that the US should not be considered a country with adequate data protection policies.
It is the second time that the European Court of Justice has delivered such a scathing verdict. In 2015, it declared invalid Privacy Shield's predecessor, the European Commission's Safe Harbor agreement with the US, which was not very different from its successor.
Read me: EU top court dismisses class-action suit against Facebook
US will not change
The court's message is loud and clear: It does not think that the Commission or the US have drawn the right conclusions since the scandal triggered by whistleblower Edward Snowdon's revelations regarding the activities of the US intelligence agencies and the mass surveillance of citizens, including in the EU.
US agencies continue to hunger for data and this has not changed under US President Donald Trump.
Even though the European Commission has announced new negotiations, hardly anybody believes that Trump will succumb to pressure to change the US's laws and methods.
EU offers considerable data protection
In the European Union, however, there has been some progress since the first verdict in 2015. The General Data Protection Regulation has come into effect and is considered to offer extensive protection by comparison to other policies around the world.
The European Commission only recognizes a few countries, such as Switzerland, Japan and a few more, as providing similarly adequate protection. The US was on the list so long as the Privacy Shield deal was in place but will now join other "ordinary" countries such as China, India, Brazil and most of the world.
Read me: What is GDPR, the EU's data protection law?
Despite the verdict from Luxembourg, companies will still be able to exchange and transfer sensitive data to third countries. However, companies in the US or China will have to guarantee that they are complying with European data protection regulations by signing Standard Contractual Clauses.
All of us are affected by this. Each time, we book a journey or buy a product online our personal data can be sent abroad.
It is difficult to imagine what might be done with the data. China, a Communist state with a huge surveillance apparatus, can access data stored by Chinese companies at will. It is also impossible to control what authoritarian states such as Russia or Turkey do with personal data.
However, the European Court of Justice opted not to curtail this basis for economic activity as it would have led to a collapse of many areas of the networked economy.
More data sovereignty needed
In the long term, the European Commission and European companies will have to ensure that European data is processed in accordance with EU law, on servers located on the continent. The idea is to increase the number of clouds in the EU and thus improve data sovereignty. For now, most clouds are in the US and China.
For its part, however, the US is also trying to tighten its grip. The US State Department is currently looking into the Chinese video-sharing application TikTok and deliberating whether to ban data transfer from US users to China and thus effectively shut down the company's activities in the US.
Read more: India bans TikTok, WeChat, other Chinese apps over security concerns
Max Schrems may have won a second victory, but the case has also shown that there is still much to be done when it comes to international data protection.
This issue should not be dismissed lightly, particularly during a pandemic. COVID-19 has a number of states flirting with the idea of storing data related to health, face recognition, movements and contacts, which would be a strong encroachment on people's data protection rights.