The European Court of Justice (ECJ) has invalidated the EU-US Privacy Shield, a major agreement governing the transfer of EU citizens’ data to the United States. This yet again underlines the fact that people and businesses in the EU do not have control over their data.
The EU-US Privacy Shield is a multilateral agreement under which companies have to comply with higher privacy standards before transferring EU citizens’ data to the US. The ECJ has now ruled that the Privacy Shield does not provide enough protection against US surveillance laws such as the Patriot Act, FISA and Cloud Act. If a US company falls under any of these surveillance laws, the flow of data must be stopped immediately.
The EU-US Privacy Shield system was applicable for practically all IT companies, and it supported transatlantic digital trade for more than 5,300 companies. According to University College London's European Institute, approximately 65% of them are small to medium-sized enterprises (SMEs) or start-ups.
Companies are no longer allowed to outsource their data if they may be subject to US surveillance. Instead, they will now have to sign bilateral agreements according to European provisions.
In our view, last week’s news about the European Court ruling and the developments around the Privacy Shield are another sign of lack of data sovereignty. It illustrates the inability to get things right for data control, and for privacy protection as an important part of that. People and business do not have control over their data. They have little to no transparency about how their data is used and dealt with, whether there is a Privacy Shield or not.
We believe that the European Commission should take this opportunity to extend its legislation towards ‘functional’ data sovereignty. This can be achieved through the creation, governance and enforcement of the use of a generic ‘soft infrastructure’ based on common technical, legal, operational and functional standards. In a world of functional data sovereignty, data holders and processors will be obliged to provide much more transparency about the use of both personal and business-related data. Moreover, citizens and businesses will be not only legally but also functionally able to provide and withdraw their consent to that usage at all times, as well have the possibility to easily re-share and transact with their data.
For further reading see the following: