Europeans could be in for an unfortunate surprise as their data transfers to the world begin to look like a thing of the past.
Globalisation and digitisation have made Europe a leading global exporter of digitally delivered services. European firms, ranging from energy companies to truck manufacturers, rely on global information exchanges to monitor machine performance, enhance security, manage global value chains, and more.
Europe’s legal framework for data transfers, however, was written in the early 1990s, before the Internet revolution and the rise of data global flows. In consequence, the EU has since the 1990s had restrictions in place for the transfer of personal data, which is only allowed under a few legal exceptions.
One of the legal tools for data transfers was the EU-U.S. Safe Harbour framework. This mechanism enabled thousands of European and U.S. companies to transfer commercial data, such as payroll data, from the EU to the U.S. The EU and U.S. negotiators were on track to finalise an updated and strengthened framework when the Court of Justice of the EU (CJEU) struck down the old Safe Harbour in October 2015.
Since then, EU and U.S. negotiators have significantly revised the text (re-named “Privacy Shield”) and are working to finalize a far more robust set of obligations on companies that sign up to the framework. In a few weeks a group of EU Member States (the “Article 31 Committee”) is slated to vote on Privacy Shield, which will clear the way for it to be officially adopted.
Back when the CJEU invalidated Safe Harbour, I warned that other EU legal tools could be questioned and also invalidated by the EU’s highest court. This dangerous game of dominoes is now materialising.