Schrems II ruling puts European recovery at risk

A European Court of Justice ruling on data exchanges is a potential ‘bombshell’ for small businesses, warns Cecilia Bonefeld-Dahl.
Cecilia Bonefeld-Dahl

By Cecilia Bonefeld-Dahl

Cecilia Bonefeld-Dahl is the Director General of DIGITALEUROPE

15 Sep 2020

Millions of transactions taking data in and out of Europe happen every day. These data exchanges are the lifeblood of the modern economy. However, a recent decision by the European Court of Justice named after Austrian activist Max Schrems threatens to restrict these data transfers or even stop them altogether.

This isn’t just an issue for the digital sector – data is helping to boost competitiveness and deliver higher profits across a range of industries from manufacturing to healthcare. Unless measures are taken quickly, we can expect a further damaging slowdown at a time when the European economy is on its knees because of COVID.

Thousands of companies big and small rely on cross-border data transfers every day, for things as mundane as sharing HR information with subsidiaries or parent companies, or outsourcing website support.

In the field of health – so important at this current moment – restricted data flows could curtail global efforts to find vaccines and treat illnesses. In finance, money laundering prevention needs global data flows.

In Europe we have some of the strongest personal data protection rules on the planet. The General Data Protection Regulation (GDPR) came into force two years ago and has proven to be a model for many other countries in how to keep citizens’ data safe from misuse. There are also rules in place to govern what happens when that data leaves European shores.

However, on 16 July the European Court of Justice delivered a significant ruling. On the plus side, it said that the main legal method for sharing data – standard contractual clauses (SCCs) – remained valid. Yet buried in the reasoning was a bombshell for small businesses. Now companies must take it upon themselves to assess the data protection laws of other countries. In addition, data transfers to the US were put in serious doubt.

“Buried in the [ECJ’s] reasoning was a bombshell for small businesses. Now companies must take it upon themselves to assess the data protection laws of other countries. In addition, data transfers to the US were put in serious doubt”

Thanks to the GDPR, businesses are used to assessing data protection as part of their work. And this is a good development. But analysing the whole of Indian law to see if it offers the right levels of protection is a completely different thing.

As a former small businessperson myself, I can tell you this is an extra job they’d rather not have. This may just be possible for big companies with huge legal departments, if at all, but this will most likely be an impossible task for almost all smaller companies. This is the last thing that is needed for companies trying to navigate the worst recession in living memory.

Even more troubling was the verdict on Privacy Shield, which governed the data-sharing between Europe and the US. The transatlantic economic relationship is one of the world’s most important trade arteries, and it is powered to a large extent by service exports such as finance, consulting, and indeed digital – all of which are reliant on millions of daily data transfers.

From 2010 to 2016, the EU’s global exports of services increased from €567bn to €845bn, a quarter of which goes to the US.

Indirectly, many of the services provided by companies relying on Privacy Shield are central to the ICT infrastructure of every type of business from restaurants to libraries.

On SCCs, we believe that by being clearer on what measures can be adopted following the Court’s decision, we could make life a lot easier for companies to navigate these murky legal waters. As we outlined in our recent preliminary analysis, a good example would be increased use of encryption technologies to keep personal data safe, or more transparency.

“We need urgent clarity with a common approach from all European data protection authorities and we are ready to bring our members to the table as soon as possible”

It is vital that the European Data Protection Board now gets together with the European Commission to issue clear and uniform guidance and a new set of SCCs incorporating stronger measures. The current situation – where authorities in different countries are issuing their own interpretations of the ruling is damaging for business and damaging for the single market.

For Privacy Shield we need to keep our heads and find a negotiated solution with our US partners as soon as possible. Again, our many members think this is possible. But what matters is that the political will is there.

I’m encouraged by the commitment we’ve already seen on both sides of the Atlantic to make that happen, although no one is saying it will be easy with Presidential elections right round the corner.

For many businesses, they will be wondering how a complex ruling in Luxembourg could have such a big impact on their daily activities, especially if they do not consider themselves to be a ‘digital’ company.

In the current economic climate, this is could be a hammer blow to struggling companies and their workers. We need urgent clarity with a common approach from all European data protection authorities and we are ready to bring our members to the table as soon as possible.

In addition, we stand fully behind the dialogue between the EU and the US on a long-term alignment of privacy rules and framework.

Read the most recent articles written by Cecilia Bonefeld-Dahl - Digital technologies can help us tackle Coronavirus, but we need to invest now

Share this page