The European Court of Justice struck down the Privacy Shield Agreement, used by companies to transfer data between the EU and the United States. The case relates to Facebook’s transfer of data from its Ireland servers to the United States. ...
In July, the European Court of Justice struck down the Privacy Shield Agreement, used by companies to transfer data between the EU and the United States. The court ruled that the Privacy Shield did not do a sufficient job in protecting the privacy rights of EU citizens from the reach of US intelligence services. The ruling stems from a complaint brought forward by privacy advocate Max Schrems against Facebook’s transfer of data from its Ireland servers to the United States.
The ruling effectively shutters the ability for companies to transfer data from the EU to the US, and beyond. These companies include large tech companies like Facebook, but it also includes major clothing brands, international hotel chains, and international parts suppliers. The digital economy runs on the safe movement of this data, so much so that the total value of that data being transferred to the US from Europe is estimated to be over $300 billion.
The ruling, while meant to protect the privacy of European consumers, could end up harming consumers through increased redundancies, which ultimately drives up costs that are then passed on to consumers. Take for example an international hotel chain. Large chains own numerous properties within the EU, but send customer data from the EU to the US to be analyzed and processed. The analysis of that data ultimately ends up driving business decisions, and plays an important role in determining the direction, services, and promotions offered by that brand worldwide. To say that this data is instrumental for the success of the brand would be an understatement.
Taken at face value, the ECJ ruling would prohibit companies like this from sending data to the US, which would require them to create, largely redundant, processing capacity within the EU. Being unable to analyze this data centrally runs the risk of creating data silos, which adds unnecessary hurdles for smooth operations and increases overall costs. Those costs would be shouldered by consumers. While the privacy ruling is not protectionism per se, it has the same impact. If EU legislators were to require all European hotel brands to be only stocked with European made goods, that would be a huge net negative for global brands through increased costs, and increased prices for the consumers who regularly frequent these properties. Data silos have the same impact as trade protectionism, and those costs are exponentially greater if data silos become common practice as a result of this ruling.
Privacy advocates like Schrems, while well intended in their quest for privacy protections, may be throwing the baby out with the bathwater. It’s perfectly legitimate to question the reach of US intelligence services and their ability compel US firms to hand over data, however; a complete shuttering of transatlantic data sharing is a disaster for all involved.
And while that questioning might be legitimate, it needs to be pointed out that there are legal limits on the extent to which US intelligence services can encroach on user data. In fact, in response to the Snowden leaks of 2013 (which Schrems has used to justify his challenge), the US has implemented a series of privacy reforms. These reforms might not be perfect in their application, but they do certainly bring the US in line with surveillance and privacy laws in EU member states. A quick review of France’s 2015 surveillance law clearly shows that any criticism of US intelligence also applies to member states like France. If member state privacy laws are in line with US law (however flawed they might be) it is puzzling why advocates would seek to shut down transatlantic data transfers and focus solely on the US. This looks like it is ignorance at its best, and hypocrisy at its worst.
This ignorance or hypocrisy becomes even more apparent when one evaluates the growing influence of Chinese companies in the international economy. Companies like Huawei and TikTok immediately come to mind, and if we are concerned about data privacy, this is where our sights should be narrowed. If the reach of US intelligence concerns you, the reach of Beijing should keep you up at night.
We know that Mainland owned companies are required to cooperate with authorities when asked, and we now know that the Chinese government has already started laying charges against non-citizens for breaking China’s national security laws. In terms of where our data ends up, and how it could be used (potentially against us), China is the jurisdiction that deserves our attention, and our scrutiny. With privacy sights set on the USA as opposed to China, European lawmakers may be creating economically disastrous data silos, and missing the real threat of Chinese encroachment.