Illustration: Eniola Odetunde/Axios
Some businesses fear growing liability while others worry that small and mid-sized firms will get hurt as the U.S. and Europe begin work to replace Privacy Shield, the pact that let thousands of firms transfer data across the Atlantic without breaking EU privacy rules.
Why it matters: Without a replacement in place after the EU's high court struck Privacy Shield down last month, thousands of businesses will be stuck complying with an agreement that no longer applies in the EU while scrambling to figure out how to get data over from Europe without exposing themselves to legal risks.
What's new: This week, the Department of Commerce and European Commission announced they have started discussions to come up with a new framework to govern data transfers between the EU and the U.S.
- Flashback: When a European judge struck down an earlier agreement, called the Safe Harbor, it took about six months to agree on a new one.
- Things could go quicker this time because the ruling gives officials a guide to issues they need to consider in any new agreement, Guido Lobrano, vice president of policy for Europe at the Information Technology Industry Council, told Axios.
- Still, COVID-19 could complicate matters, as officials can’t huddle in person.
Where it stands: Businesses that relied on Privacy Shield to certify that they were being responsible with user data now face three key challenges.
1. Privacy Shield is still the law of the land in the U.S.
- That means fines and compliance obligations won't stop even though the agreement is no longer valid in the EU. FTC Chairman Joe Simons said at a recent Congressional hearing the agency would still be enforcing it.
- This is because many companies have built data protection promises made under Privacy Shield into vendor contracts and their terms of service. If they stop complying, the FTC could consider it a deceptive act.
- "It's a tough situation for a lot of companies," David Bender, a data and privacy lawyer at Covington and Burling, told Axios. "Frustrated and confused is how I'd describe the general mood."
2. Privacy Shield's absence could entrench tech giants' dominance.
- Some 5,300 businesses relied on Privacy Shield to safely transfer data. Most of them are small and midsize, while their larger counterparts instead protect themselves by customizing more complex "standard contractual clauses" drafted by the EU, an approach that's more expensive and complex.
- After the July 16 decision, Microsoft, Google Cloud, Amazon Web Services and Facebook all sought to reassure users and customers that transfers would be uninterrupted.
- It's another example of Big Tech firms' deep pockets and crack legal teams helping them weather regulatory uncertainty more easily than smaller companies, even as their size and power is being questioned worldwide.
- "As with any compliance concern, it's a matter of capacity for small and medium businesses," Cobun Zweifel-Keegan, deputy director of privacy initiatives at BBB National Programs, which administers a Privacy Shield dispute resolution program for 1,100 businesses, told Axios.
3. The U.S. and EU may never deliver an agreement that can pass legal muster.
- The court's chief rationale for killing Privacy Shield was that digital surveillance by the American government makes it impossible to ensure that Europeans' data can be protected once it enters the U.S.
- That was also the main reason the court struck down the Safe Harbor. It's unclear if it's even possible to create an agreement that can survive a court challenge absent a radical change in U.S. surveillance practices — and the Trump administration has agitated for more digital surveillance, not less.
The big picture: The uncertainty and complications raised by the end of Privacy Shield only threaten to push the U.S. and Europe further apart as the global internet grows increasingly balkanized.
Editor’s note: This story has been corrected to show that ITI’s Guido Lobrano said the conditions are right for a new privacy agreement to be reached more easily this time, not that it would take longer.