Technology companies across the U.S. are looking for coping strategies to continue complying with international privacy laws after Europe’s highest court rejected privacy protection under the EU-U.S. data transfer agreement,media Protocol reported. In a victory for privacy activists, the European Court of Justice on Thursday annulled the “privacy” agreement, saying the framework does not adequately protect European users from the U.S. government’s far-reaching surveillance laws.
The decision will force the 5,384 companies currently dependent on the EU-US privacy agreement to recalibrate their privacy policies, especially when it comes to how and why they collect data on EU users.
“Like many businesses, we are carefully considering the outcome and impact of the court’s decision on the use of privacy agreements, and we look forward to regulatory guidance in this regard.” Eva Nagle, a Facebook lawyer, said in a statement.
While Facebook, Google, Amazon and Microsoft all rely in part on EU-U.S. “privacy protection” agreements to transfer data from EU users, 70 percent of the companies certified under that framework are small and medium-sized, according to the Computer and Communications Industry Association. These companies have fewer resources and are likely to have no servers in the EU. Omer Tene, vice president of the International Association of Privacy Professionals, said they may face the biggest challenges in seeking to comply with the decision.
Tene said the privacy professionals he met were “competing” for, although the decision was not shocking to those who followed the case closely.
The 11 U.S. companies contacted by Protocol on Thursday said they were reviewing the decision with legal counsel and scrutinizing complex and extensive agreements and contracts to ensure that their current data transfer agreements remain in line with the law. Several companies said they were waiting for further guidance from Regulators in europe and the United States and may have to make some changes to the way they do business.
“Discord is reviewing the european Court of Justice’s ruling and looks forward to regulatory guidance from the European Commission and the Ministry of Commerce,” said a Discord spokesman, a popular chat site with users around the world. Dave Koslow, chief operating officer of DocSend, an electronic protocol company, said the company “has some work to do” in the near future. We need to review our agreements and make any necessary adjustments to adapt to regulatory changes. “
Although the court rejected the “privacy” agreement, its opinion upheld the “standard contractual clause”, which allows U.S. companies to process EU data in a shorter term. The court called on Europe’s data authorities to ensure that the provisions provide “adequate levels of protection” to EU users, which could lead the EU to step up its scrutiny of the provisions.
Technology companies, including Fitbit, Ancestry.com, Box, cloud software companies Domo and Akami Technologies, have said they will rely on the agreements to replace EU-U.S. privacy agreements. “We rely on a variety of legal grounds for the legal transfer of personal data globally,” a Fitbit spokesman said. (EU regulators are currently investigating The acquisition of Fitbit by Google.) “These include your consent, the EU-U.S. and Swiss-U.S. privacy agreements, and the model contract terms approved by the European Commission, which require certain privacy and security protections.”
Rafi Azim-Khan, head of data privacy at Pillsbury, said the “far-reaching” court case was just the latest reminder that corporate privacy is now a “board-level issue.”