May 12, 2021 - Economy

Businesses fall into transatlantic privacy hole

Illustration of a digital tear into the European Union's flag.

Illustration: Sarah Grillo/Axios

U.S. companies have begun to face costly problems abroad while they wait for American and European partners to hammer out a new privacy deal after the EU voided a key international pact last year.

What they're saying: U.S. businesses that operate internationally say they've lost "tens of millions" of dollars thanks to the legal logjam, according to Jules Polonetsky, CEO of the Future of Privacy Forum, an industry-backed nonprofit. "European companies are being cautious and not going ahead with transactions until there is clarity."

What's happening: Businesses that share data with Europe used to largely rely on an agreement known as Privacy Shield to provide them with liability protection, but Europe's highest court struck it down last July, and consequences have begun to surge across data-dependent industries.

  • U.S. email marketing company Mailchimp was implicated in April when the Bavarian data protection authority ordered a European magazine to stop using the service to send its newsletters.
  • Microsoft announced last week it would begin storing and processing EU cloud customer data in the EU, citing its commitment to meeting EU data protection laws, including GDPR. Storing data locally is something large companies can pull off due to the expense. For smaller companies, it's more likely they lose business completely when faced with regulatory risk.

Enterprises that need data for research and policymaking are also feeling the pain.

  • In April, the Federation of European Academies of Medicine and the European Science Advisory Council reported that uncertainties around sharing health data outside the EU puts essential research, including about vaccines, at risk, with thousands of collaborations with the U.S. already affected.
  • Also in April, Portugal's National Data Protection Commission ordered its census bureau, Statistics Portugal, to suspend sending census data to the U.S. because the bureau was using Cloudflare, a U.S. company.

"There have been very public decisions that show the system is starting to break," Polonetsky said.

The big picture: U.S. businesses have resisted embracing the EU's stringent data privacy rules, and U.S. lawmakers have so far failed to pass national privacy standards — though states like California have moved ahead on their own.

As the two sides of the Atlantic alliance move out of sync, companies are paying a price.

  • Securities and Exchange Commission filings from dozens of different businesses filed this year say the ongoing confusion over the legality of U.S.-EU data transfer may hurt finances, operations and service offerings overseas.

Catch up quick: The case that ultimately struck down Privacy Shield was brought by Austrian privacy advocate Max Schrems, who complained that clauses in Facebook's data contracts don't adequately protect Europeans from government surveillance in the U.S.

  • Schrems also launched the case that upended the previous agreement governing data flows between the U.S. and Europe, known simply as the Safe Harbor.

In addition to Privacy Shield, which is mainly used by small and medium-sized businesses, companies rely on Standard Contractual Clauses to make data-transfer agreements comply with regulations.

  • The legality and usability of those have also been in flux, though Bruno Gencarelli, head of international data flows and protection for the EU, said in late April businesses would get updated clauses to use "within weeks."

What's next: Observers believe the U.S. and EU may be close to a new deal.

  • In March, the Department of Commerce said Secretary Gina Raimondo and European Commissioner for Justice Didier Reynders were "intensifying negotiations" on a new Privacy Shield framework.
  • Yes, but: It's not clear that any new agreement can both satisfy U.S. companies and meet Europe's much higher privacy bar.
Go deeper