Data security in digital commerce: EU-US Privacy Shield holds up
There are hardly any physical borders left to constrict expanding online trade. However, legal differences persist between increasingly interconnected nations and companies that can be an obstacle to the development of global e-commerce: For example, on 22 November 2017, the General Courts of the European Court of Justice rejected a challenge to the EU-US Privacy Shield regulating transatlantic data sharing. This ruling was made at the European level and is relevant for companies from all over Europe involved in digital commerce, as the issue of data protection cannot be ignored when managing customer data.
The EU-US Privacy Shield is the successor to the Safe Harbor agreement, which was the legal basis for personal data transfers between the EU and the US until 2015. As explained in our detailed overview on the topic of international data protection, strict data protection principles apply within Europe, which must also be adhered to when transferring data to third countries - even if they are not bound by the EU's data protection regulations. This becomes a problem when a third country like the US falls short of European data regulations and is considered "unsafe". Since 2016, the EU-US Privacy Shield has protected the personal data of European citizens that is securely transferred to US companies in the course of this - which could be the case when using American software, for example.
The significance of the EU-US Privacy Shield for digital commerce
As the legal basis for the storage and processing of personal data from Europe in the USA, the EU-US Privacy Shield is very important for the digital economy: Many of the big players like Google, Facebook & Co. are originators of intensive, transatlantic data traffic - and European companies cannot get around their platforms and tools. "The EU Privacy Shield, which is immensely important for transatlantic data traffic, is thus secured in its existence for the time being," comments Michael Neuber, lawyer and head of policy and regulation at the Bundesverband Digitale Wirtschaft (BVDW) e.V., on the averting of the action before the General Court . The court denied the Irish organisation Digital Rights the right to file an application, as it was neither a natural person nor personal data of the organisation itself was affected - the data protection shield therefore continues to exist. With the continuation of the status quo in data protection law, European companies can breathe a sigh of relief: a complete revision of the current legal situation and the accompanying restructuring will not be necessary for the time being.
What companies need to consider when transferring data
Nevertheless, the issue of data protection is unavoidable for companies. Countless and increasingly powerful tools enable a better understanding of potential and existing customers: The collected data can be used to optimise the marketing strategy, the online shop and the sales processes. However, it is important that these personal snippets of information are handled with care. A transatlantic data transfer should only be carried out with companies that are certified by the EU-US Privacy Shield. This is because, as described in our article, data processed in the US, for example, must be treated in accordance with European data protection regulations. Furthermore, companies should inform themselves about the use of EU Standard Contractual Clauses and Binding Corporate Rules and consider them as an additional measure to the EU-US Privacy Shield. These clauses provide a legal safeguard for permissible data transfers to other "unsafe third countries".
For the time being, the data protection shield holds: companies that send data to the US for further processing and follow the rules of the EU-US Privacy Shield do not have to fear acute legal uncertainty. It is not yet foreseeable to what extent the legal "borders" will restrict e-commerce in the future and be able to guarantee the data protection of European users. As an agency for digital commerce, we point out the importance of data protection measures and relevant legal decisions that can have an enormous impact on German companies and business processes. However, as we cannot and may not provide legal advice, we recommend that you seek advice from a specialist lawyer on the topic of data protection.