• The EU Court of Justice yesterday struck down the EU-US Privacy Shield, a major agreement governing the transfer of EU citizens’ data to the United States.

• At the same time, the Court maintained the validity of standard contractual clauses (SCC) which permit transfers of personal data to a third country.

• DIGITAL SME welcomes the ruling insofar as it strengthens privacy and GDPR-compliant business solutions but calls for a “clear and viable long-term arrangement” for data transfers.

Brussel, 17 July 2020. Four years ago, DIGITAL SME criticised the architecture of the EU-US Privacy Shield, a framework for regulating transatlantic exchanges of personal data for commercial purposes agreed on by the EU and the US. Yesterday’s ruling by the Court of Justice of the European Union (CJEU), which declared the Privacy Shield invalid, proved our scepticism right. The ruling means that large US-based technology companies will no longer be able to simply transfer personal data of European citizens to servers in the US by way of the Privacy Shield. This decision is likely to support privacy-friendly alternatives that safeguard fundamental rights. At the same time, the Court maintained the validity of so-called “standard contractual clauses” (SCCs), non-negotiable legal instruments used to export data out of Europe. SCCs continue to be the legal basis of data transfers to third countries for companies like Facebook, but are likely to see stronger scrutiny and oversight by Data Protection Authorities (DPAs) in Europe.

An edge for privacy-friendly solutions, but legal certainty needed

The CJEU ruling confirms that innovative, privacy-friendly frontrunners are on the right track. Strengthening the already advanced data protection and privacy profile of the EU can bring opportunities to businesses that build privacy-friendly business models. At the moment, technology solutions providing superior privacy do not necessary constitute a competitive edge. Some large tech companies based outside of Europe were able to build on business models that were founded on bulk data collection, while EU-based companies largely apply strict data protection and privacy rules. This ruling may support the path to establishing privacy as a competitive advantage in Europe by levelling the playing field.

At the same time, there is a need to create legal certainty for European businesses, and to make sure that they can compete globally. As DIGITAL SME President Dr Oliver Grün stated, “We must ensure that valuable personal data of European citizens is not transferred in bulk without any checks. However, to support business in Europe, we need a clear and viable long-term arrangement that works for companies and allows them to compete globally”.

European SMEs need better access to data to stay competitive

Indeed, the ruling may bring risks to companies that operate between the EU and the US, and that need to process data to develop innovative solutions. As stated in our commentary on the 2-year GDPR review, some of the innovative technology frontrunners among DIGITAL SME’s membership say they face hurdles in terms of data access and freedom to experiment to develop new innovative solutions. For instance, when it comes to facial recognition, a large problem that has become apparent is the lack of datasets. Companies in Europe cannot use common facial databases due to the GDPR. This is a competitive disadvantage compared to the US, China, Russia, and other countries. With yesterday’s ruling, companies operating globally may be in a competitive disadvantage if they cannot share data with their US entities. Also, innovative frontrunners may choose to base themselves in markets with laxer privacy rules.

Thus, there is a need to ensure legal certainty for European businesses operating globally, while limiting intrusive surveillance and bulk collection of personal data. At the same time, policymakers need to support the development of innovative data-based solutions and services by fostering a privacy-friendly data ecosystem and governance in Europe.