New York – The balkanization of the internet continues.
The European Union’s top court called a halt on July 16 to the main way companies transfer data across the Atlantic. The Privacy Shield, as it is known, allows for data from Europe to remain subject to the region’s data privacy laws when shifted to the United States. However, the European Court of Justice ruled that U.S. law made such data vulnerable to intelligence snooping, breaching privacy regulations.
The case was elevated to the ECJ after years of legal challenges by privacy campaigner Max Schrems against Facebook Inc. in Ireland, the tech giant’s European base. While the ruling might make some processes trickier for the tech behemoths, their global scale means they are better placed to handle its fallout than smaller firms.
Companies are now exposed to greater legal risk if they decide to transfer data out of the region. The ECJ left a mechanism called Standard Contractual Clauses (or SCCs) in place which will allow firms to do so, but the conditions are strict, according to Tamara Quinn, a lawyer at Osborne Clarke in London. It will be a lot easier to handle for the likes of Google, Facebook, Microsoft Corp. or indeed Procter & Gamble Co., all of whom have significant international footprints, than it will a small business.
Take a company’s human resources department, for instance. Until now, employee data could be easily transferred between Europe and the U.S., meaning a Seattle firm could readily manage payroll for European employees from the other side of the world. That’s now tricky. But if you’re P&G, with more than 30,000 employees in Europe, it’s likely to make less of a difference than if you’re a Texas-based widget-maker with 100 employees that just opened a one-person sales office in Munich. Suddenly you may have to add more back-office jobs in Europe when holding employee and customer data in the region.
It may be even more troublesome for companies whose business is digital. Whereas a San Francisco-based startup could previously launch an offering in Europe without any physical presence there, that might no longer be feasible. And European startups who outsource some data analysis to third parties, or even have engineering teams in the U.S., will also encounter greater difficulty.
Continuing business won’t be impossible, because of those SCCs, which comprise agreements between sender and recipient that aim to protect the individuals whose data is being transferred. But it’s a tougher legal hurdle that could gum up the process.
Again, these dynamics play into the hands of the cloud computing giants whose existing European data centers could make their legal compliance a selling point. There could even be more re-shoring of capabilities to Europe.
It looks like another repercussion of intelligence threats impinging upon the free flow of trade. The ruling came the same week that the United Kingdom banned gear made by China’s Huawei Technologies Co. from its next-generation communications networks. Just as the Edward Snowden leaks revealing the extent of U.S. espionage collaboration with the tech industry prompted Schrems’s campaign, it was U.S. fears that China might co-opt Huawei equipment for its own ends that helped bring about the U.K. ban. The internet is rapidly developing borders.
Alex Webb is a Bloomberg Opinion columnist covering Europe's technology, media and communications industries. He previously covered Apple and other technology companies for Bloomberg News in San Francisco.