The Privacy Shield Fell — Now What?

By on

Click to learn more about author Stefano Maffulli.

Personal data flows between countries as fast as dollars and euros. The current of personal data between US companies and European citizens was abruptly switched off after Europe’s top court killed a trans-Atlantic agreement that allows data to move between the European Union and the United States.

This means that any transfer of information from EU citizens to US companies is now in legal limbo. Are you reading this on a mobile phone? Your browsing information is transferred to the US. Every time you type a message on your phone in Rome, the predictive keyboard transfers data to Google or Apple across the pond. Or say you wedge a Tesla through the narrow streets of Amsterdam — that data flies right over to the US. Without the legal framework of the Privacy Shield, all of these daily activities are technically illegal.

What’s Next

Companies have to rethink their data transfer and storage policies before they become outlaws. It won’t be easy. Any firm that collects and manages the data of European citizens must sift through their applications and storage policies, and storing data in European availability zones from US-based companies won’t be a workaround anymore. 

Tech titans like Google and Facebook are diving for loopholes, arguing that the ECJ left the system of standard contractual clauses (SCCs) in place, the section of the Privacy Shield that facilitates data transfer. 

But with the Privacy Shield down, the SCCs won’t help them export EU data, says Carlo Piana, who has been practicing IT law in Europe since 1995. What used to be fairly straightforward — like storing logs from a server in one of the many available EU data centers — won’t fly now. “It’s a lot more difficult to confine data from applications like speech recognition in mobile phones to Europe,” Carlo explains.

While the court didn’t strike them down directly, the SCCs are only valid if they respect the same standards of protections granted by European laws. The trouble? Those same companies fall under the Foreign Intelligence Surveillance Act (FISA) jurisdiction, rendering SCCs invalid.

Lawmakers are heading back to the drawing board. The US Chamber of Commerce is already in damage-control mode — see the letter they fired off — backed by thousands of companies urging governments to “develop a stable and sustainable mechanism for companies to transfer data between the European Union and the United States” or risk denting the $1.1 trillion in total trade in goods and services between the two. 

Privacy activist group NOYB (My Privacy is None of Your Business) has already outlined an 1,800-word FAQ for European companies. Fines for violating the GDPR are massive, although the same group also admits that seven years after the first sentence, the Irish Data Protection Commissioner has yet to provide the guidelines to force Facebook to respect it.

What This Means for Cloud Storage 

European efforts led by France and Germany to build a sovereign cloud infrastructure matter now more than ever. Take GAIA-X, a project started in Europe for Europe that aims to develop common requirements for a European data infrastructure driven by openness, transparency, and portability in the EU. 

Of course, storage doesn’t happen in a vacuum: Applications drive the need for storage, and re-architecting them for compliance is a nightmare. Expect a massive push to move out of the US, driven by European companies. 

The COVID-19 emergency relief package will kick this into higher gear, leading governments away from Silicon Valley startups. Take, for example, the gargantuan 500,000-seat contract granted to Slack-rival Element to support distance learning for German schools. Concerns with data sovereignty have already made Element the choice for governments in France and Germany. 

Move Fast and Fix Things

We have to move fast: This time, there’s no grace period for compliance. Europe needs to home- grow a more attractive offering to local developers. Only a concerted effort between the EU Commission, national governments, corporations, and citizens will put data back where it belongs. 

We use technologies such as cookies to understand how you use our site and to provide a better user experience. This includes personalizing content, using analytics and improving site operations. We may share your information about your use of our site with third parties in accordance with our Privacy Policy. You can change your cookie settings as described here at any time, but parts of our site may not function correctly without them. By continuing to use our site, you agree that we can save cookies on your device, unless you have disabled cookies.
I Accept