As Europe tightens its privacy and data protection framework, U.S. tech companies face increased disruption, mounting legal costs and operational challenges due to uncertainty over the laws that govern transatlantic data transfers.
Part 1: Tech firms face data disruption amid Privacy Shield uncertainty
Part 2: US weighs potential response to EU's new data protection law
Part 3: US big tech reports mixed impact from EU data protection law
Since the legal mechanism that underpins data flows between Europe and the U.S. — the EU-U.S. Privacy Shield — is under threat of suspension by the European Commission, moving data across national borders could become increasingly complex for the more than 3,300 businesses and organizations reportedly linked to the framework, including Facebook Inc., Alphabet Inc., Microsoft Corp. and Twitter Inc.
Negotiated by the European Commission and the U.S. Commerce Department in 2016, the Privacy Shield replaced the Safe Harbor pact, which the Court of Justice of the European Union rendered unlawful in 2015 following a complaint by Austrian data privacy activist Max Schrems against Facebook for allegedly transferring European user data to U.S. intelligence programs.
In July, however, the European Parliament called for the Privacy Shield to be suspended by Sept. 1, following the recent Facebook-Cambridge Analytica data breach. Members of the parliament's Civil Liberties, Justice and Home Affairs Committee expressed concern about the failure of U.S. authorities to provide enough data protection for EU citizens under the new General Data Protection Regulation, or GDPR.
In light of the growing European concerns, the future of the Privacy Shield looks vulnerable and suspending the agreement would be hugely disruptive to transatlantic commerce, according to Elaine Fahey, professor of law at City, University of London.
"Almost a billion citizens are covered by the Privacy Shield so it's an extraordinary situation for both the public and private sector," she said in an interview.
Services at stake
At stake are a raft of transatlantic digital services, mainly supplied by tech companies and worth an estimated $70 billion trade surplus for the U.S. in 2015, according to the Commerce Department.
Yet, the business effect of halting data flows would be felt the most by small to medium-sized businesses without access to alternative mechanisms, according to Ashley Gorski, staff attorney at the nonprofit American Civil Liberties Union.
For instance, the European Union uses standard contractual clauses to ensure adequate safeguards for international data transfers, she explained.
The fact that these alternative data transfer methods are also facing a legal challenge from the Irish High Court in the Court of Justice of the European Union, following complaints brought forward by Schrems and Ireland's data protection commissioner, only exacerbates the problem.
"If the Court of Justice [of the European Union] concludes that the U.S. surveillance regime is fundamentally incompatible with the right to guarantee privacy, then it is not just a matter of finding an alternative data-sharing mechanism. It's really about pushing Congress to completely reform surveillance laws in the U.S.," Gorski said.
Either way, Silicon Valley's losses could be tremendous, she added.
Warnings of fallout
While it is difficult to quantify the potential fallout, American businesses are already issuing early warnings.
A recent Microsoft 10-K filing said revisions to the current framework may require "changes in services, business practices, or internal systems that result in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with foreign-based firms."
What's more, tougher data laws — following the May launch of the GDPR — will further complicate matters for companies without a legal basis for EU-U.S. data transfers, said Dublin-based Simon McGarr, solicitor at McGarr Solicitors and director of Data Compliance Europe.
The GDPR introduced a swathe of legislative changes designed to strengthen rules around how EU citizens' data is collected, stored, managed and shared. The proposed measures include the possibility of fines of up to 4% of a company's global revenue for the most serious breaches.
"Since the GDPR has come into effect, the consequences for an illegal data transfer are much more severe," McGarr said, adding that potential fines could be substantial even for medium-sized technology businesses.
"The U.S. and EU are extremely data-heavy economies so, in the event of a doomsday scenario, this is going to become an issue for large companies that have relied on the Privacy Shield," he added.
U.S. and EU officials are set to meet this autumn for a review the Privacy Shield framework, but McGarr said a suspension of the agreement is likely.
He said: "The Privacy Shield always looked a bit shaky, even when it was instituted. It was always under review right from the very start."
Editor's note: This article is part of a series about the future of privacy and data regulation in the EU and the U.S.