Finance & Economics

Arts & Culture

Science & Technology



Contact us


The Invalidation of the Privacy Shield: What Awaits Big Tech
The Privacy Shield, which aimed to protect Europeans’ personal data, was struck down this July as a result of the ECJ's Schrems II case. What does this mean for data privacy, and the impact on Europeans and companies?
23 October, 2020

The issue of data privacy has always been a hot topic, but became the number one priority on everyone’s online safety checklist after whistleblower Edward Snowden’s leaks in 2013. The amount of data that we provide willingly to online platforms as a result of globalisation and the commencement of the technological era is overwhelming, and how such data is used is a significant question considering the protection of sensitive personal data.

The European Union has been a key player in this discussion, with the enactment of its General Data Protection Regulation in 2014, which sets out how such data can be collected and used in accordance with the law. Another such legal tool, the Privacy Shield, aiming to protect Europeans’ personal data, was struck down this July as a result of the European Court of Justice’s Schrems II case. In this article I will explore what this means for Europeans and companies, and delve deep into Europe’s efforts to protect its citizens’ private data.

What is the Privacy Shield?

The Privacy Shield agreement was enacted in 2016, succeeding the now also invalid Safe Harbor. The agreement aimed to lay ground rules for how data exchange between the European Union (EU) and the United States (US) would be conducted. The data in question ranges from those acquired from social media posts and search queries, to those about workers’ pensions. The agreement, and its predecessor, were originally enacted due to the differences in data protection laws between the US and the EU. While the EU has garnered its data privacy and protection laws under one document, the GDPR, the US does not have a singular law that governs the issue. Instead, it has separate bills that protect healthcare data and such. This indicates a fundamental clash of legal priorities, causing security concerns amongst European citizens. While the EU is looking to protect its citizens’ private data and aimed for a unilateral standard to be established for its use, the US is aiming for its Big Tech companies, such as Facebook and Google, to continue conducting business by transferring the European data to Silicon Valley, a vital process in how tech companies conduct business.

GDPR provides that the transfer of data to a third country may only take place if the country in question ensures an adequate level of data protection. As Snowden’s leaks in 2013 proved, this is not the case for the US, hence it is not stated as one of such countries by the EU. Simply put, the Privacy Shield provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements for transferring data in accordance with GDPR rules, allowing the US to satisfy the necessary requirements. This is done so in order to continue and support the 260 billion dollars of trans-Atlantic commerce value.

The agreement works by guaranteeing European citizens’ privacy in US territories. Not only is it mandatory for the US to comply with GDPR requirements, citizens can also go to court once they suspect that their data is being misused. It acts as a privacy guarantee for those living in Europe, where privacy is seen as a fundamental right. It includes written guarantees from American officials that the government will not collect and use Europeans’ data without sufficient reason. The framework also allows companies to self-certify that they would abide by the rules, resulting in more than 5,000 companies to sign up to the agreement in hopes of continuing trans-Atlantic data exchange.

Though it took long for both countries to reach a settlement due to their different views on the subject, some still argue that the agreement was not doing enough. The disparate legal systems in place that govern data exchange raises security concerns and legal questions over the movement of personal information, which is why the last few years witnessed many attempts of striking the agreement down.

The Schrems II Case

Privacy rights activists who wanted to prevent companies from moving their personal data to the US, a country with looser data protection rules, succeeded in July of this year. This was Schrems II, where an Austrian data-protection campaigner filed a complaint against Facebook arguing that his privacy rights were violated once his data was moved to the US. He was worried that it would be vulnerable to misuse by American government officials.

Mr Schrems runs NOYB – “None of Your Business” – a privacy rights group. He is an avid campaigner as his previous case, Schrems I, had overturned the Privacy Shield’s predecessor, Safe Harbor, in 2015. His argument stemmed from the desire for the US to strive for better data protection regulations in order to continue trans-atlantic data exchange.

The ECJ ruled that the agreement did not in fact comply with European privacy rights, and made the landmark decision on 16 July, where it invalidated the Privacy Shield. While Safe Harbor had lasted for 10 years, the Privacy Shield managed to last for only 4 years, signifying the EU’s dedication to protecting personal information.

What does the court decision mean for businesses?

For the more than 5,000 businesses that had signed up to the agreement, the Schrems II decision means legal limbo. There is uncertainty as to how companies can go about their vital data exchanges, forcing tech companies to rethink how they approach privacy.

For the time being, necessary transfers of personal data, such as emails, airline bookings, messages or direct private use of US activities, continue to be allowed. Businesses have also called for a grace period where they can adjust to the new decision as talks of a new Privacy Shield commences. ICO’s website currently reads like the following: “If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”

The decision has more impact on the businesses than just disruption of services, however. With the invalidation of Safe Harbor 5 years ago, and now its successor Privacy Shield, the EU is communicating to the US that they expect stricter data privacy rules. The first major fallout of the Schrems II decision arised recently, as Irish regulators have started an inquiry into Facebook’s exchange of data between Europe and the US. The investigation will follow Facebook’s data practices closely, and may even end up in the company overhauling its operations to keep data on Europeans stored within the EU. The inquiry is being closely watched by Google, another company who also depends on transferring data between the US and EU.

As the inquiry implies, EU regulators are increasingly speaking out in favour of keeping data inside the bloc as a result of the distrust between the parties, and turning the tide on the idea of a truly borderless internet. There may be talks of a new deal right now, yet it is very likely that it too will have a short-lived life.

+ posts


Submit a Comment

Your email address will not be published. Required fields are marked *

Related articles

The Implications of AI for Authoritarian Regimes

The Implications of AI for Authoritarian Regimes

In states where maintaining power and control over society is paramount to regime survival, AI algorithms are likely to serve as a method of strengthening autocrats’ grip over the state. Disregard for freedom of information, privacy, and human rights, increases the potential for the exploitation of AI tools by authoritarian leaders.