ECJ data protection rulings drive up compliance costs for EU businesses

ECJ data protection rulings drive up compliance costs for EU businesses

Two of the ECJ’s recent rulings drive up compliance costs for businesses operating across the European Union. As American technology firms adapt, it marks a win for citizens and holds opportunities for some European-based technology firms.

Last week, the European Court of Justice (ECJ) struck down ‘Safe Harbour’, a regime regulating transatlantic data-transfers in which businesses could certify themselves for meeting European data-protection standards. The ruling is the latest in a string of rulings aimed at strengthening citizen’s privacy-rights.

In a case against Facebook, brought by an Austrian graduate student, the Court found that revelations about the NSA’s mass and indiscriminate surveillance and data collection undercut the credibility of companies’ self-certification.

This is especially true of giant technology firms like Alphabet’s Google, Apple, Microsoft, and Facebook, who are seen to be cooperating with the NSA’s PRISM programme and have to share private user data upon the regulator’s request.

The ruling does not outlaw transfers of personal data to the US for storage, but does allow national regulators to investigate and suspend them if a company does not adequately safeguard privacy protection.

Interestingly, a few days before upending Safe Harbour, the ECJ made another landmark decision. In its ruling on the Weltimmo case, it established that Member States’ national data protection authorities have the right to fine companies operating within their jurisdiction if they fail to comply with local data protection regulations.

Companies operating across multiple EU jurisdictions previously only needed to comply with data protection regulations in the country where they are headquartered, which led many to base themselves in Ireland or the UK with their relatively lax regulations.

In short, the Weltimmo ruling means companies operating in the EU now potentially have to deal with 28 national regulators, while the end of Safe Harbour means that these regulators can investigate any company for storing data of European customers in the US.

How will it impact business?

With these two decisions in the span of one week taken together, businesses operating in the European Union face substantially increased compliance costs. Rather than diminishing European customers’ access to digital services, as one worried advertising industry executive put it, it is more likely that companies will scramble to adapt to the EU’s stricter privacy regime.

Companies like Facebook and Microsoft have downplayed the impact of Safe Harbour being struck down, arguing that other agreements with the EU offer adequate legal foundation for data transfers.

One short term solution for some firms may be to adopt European Commission-approved Model Contracts: agreements between a European data exporter and the importer of personal data that should provide adequate safeguard to data transfers. It is likely that Facebook had these in mind when issuing its press statement.

This alternative does not address a big concern for multinationals: storing employee data. To be valid, Model Contracts require consent by the data exporter. Employees are seen not to have free choice in the matter, as they can feel pressured to consent for fear of losing their job. This cancels out Model Contracts as a solution for many businesses affected by the Safe Harbour ruling.

Moreover, in the long run, Model Contracts are not a stable solution anyway, since as a consequence of ‘Weltimmo’, national privacy watchdogs have the undisputed authority to demand data transfers be stopped regardless if they feel adequate privacy protections in the US cannot be offered.

Companies will therefore need to adopt more robust alternatives. Concretely, technology firms that have not already done so will invest in building European data centres or search partners that already have such facilities.

American cloud computing provider Box has already announced it is developing data centres in Europe that will open within a year, presumably utilizing the European facilities of its commercial partner IBM. Amazon has already built its own European data centres, anticipating a European market for localized data storage.

European cloud services are a clear winner, as they will see demand for their product increase. In turn, this means increased competition within the cloud computing market. The ultimate winners are European consumers, who will see their privacy better protected, and as a bonus may see the costs of using cloud storage go down as well.
A new Safe Harbour deal with the US has already been under negotiation for two years, but an agreement has so far proved elusive, because the US insists on exceptions allowing access to the personal data for their intelligence services. This the EU has been unwilling to grant.

The Court’s ruling makes it all the more unlikely that the EU will give in on the issue.

About Author

Niels Van Wanrooij

Niels van Wanrooij is a public sector consultant with experience in international policy at the Dutch Parliament and in advocacy with an NGO. He holds an MSc. in International Political Economy from LSE along with a MSc. in International Relations and BSc. in Political Science from the Radboud University in the Netherlands.