The balkanization of the internet continues.
The European Union’s top court called a halt on Thursday to the main way companies transfer data across the Atlantic. The Privacy Shield, as it is known, allows for data from Europe to remain subject to the region’s data privacy laws when shifted to the US. However, the European Court of Justice ruled that US law made such data vulnerable to intelligence snooping, breaching privacy regulations.
The case was elevated to the ECJ after years of legal challenges by privacy campaigner Max Schrems against Facebook Inc. in Ireland, the adtech giant’s European base. While the ruling might make some processes trickier for the tech behemoths, their global scale means they are better placed to handle its fallout than smaller firms.
Companies are now exposed to greater legal risk if they decide to transfer data out of the region. The ECJ left a mechanism called Standard Contractual Clauses (or SCCs) in place which will allow firms to do so, but the conditions are strict, according to Tamara Quinn, a lawyer at Osborne Clarke in London. It will be a lot easier to handle for the likes of Google, Facebook, Microsoft Corp., or indeed Procter & Gamble Co., all of whom have significant international footprints, than it will a small business.
Take a company’s human resources department, for instance. Until now, employee data could be easily transferred between Europe and the US, meaning a Seattle firm could readily manage payroll for European employees from the other side of the world. That’s now tricky. But if you’re P&G, with more than 30,000 employees in Europe, it’s likely to make less of a difference than if you’re a Texas-based widget-maker with 100 employees that just opened a one-person sales office in Munich. Suddenly you may have to add more back-office jobs in Europe when holding employee and customer data in the region.
It may be even more troublesome for companies whose business is digital. Whereas a San Francisco-based startup could previously launch an offering in Europe without any physical presence there, that might no longer be feasible. And European startups who outsource some data analysis to third parties, or even have engineering teams in the US, will also encounter greater difficulty.
Continuing business won’t be impossible, because of those SCCs, which comprise agreements between sender and recipient that aim to protect the individuals whose data is being transferred. But it’s a tougher legal hurdle that could gum up the process.
Again, these dynamics play into the hands of the cloud computing giants whose existing European data centers could make their legal compliance a selling point. There could even be more re-shoring of capabilities to Europe.
It looks like another repercussion of intelligence threats impinging upon the free flow of trade. The ruling falls the same week as the UK banned gear made by China’s Huawei Technologies Co. from its next-generation communications networks. Just as the Edward Snowden leaks revealing the extent of US espionage collaboration with the tech industry prompted Schrems’s campaign, it was US fears that China might co-opt Huawei equipment for its own ends that helped bring about the UK ban. The internet is rapidly developing borders.
(Bloomberg)