Jul 17, 2020

AmCham Denmark Co-Signs U.S. Chamber Letter to Secretary Ross on Privacy Shield Ruling

Washington D.C., Thursday, July 16, 2020 – 7:30am

AmCham Denmark, along with multiple other European Chambers, has co-signed a U.S. Chamber statement on the European Court of Justice’s decision in Data Protection Commissioner v Facebook Ireland, Maximillian Schrems (“Schrems II”). The statement was issued by U.S. Chamber of Commerce Executive Vice President and Head of International Affairs Myron Brilliant.

“Data flows are the lifeblood of the United States and European Union’s trade and investment partnership. Since 2016, the EU-U.S. Privacy Shield has enabled more than 5,300 businesses — the majority of which are small and medium-sized enterprises — to engage in transatlantic commerce while upholding a high standard of data privacy. The agreement has served as a model for inclusive digital trade and cross-border regulatory cooperation.

“The European Court of Justice’s decision today to invalidate the Privacy Shield focuses not on commercial uses of data, but on concerns over potential government access. We welcome the Court’s decision to affirm standard contractual clauses, which have served European consumers well for almost two decades. However, we urge the Trump Administration and our European partners to closely examine the ruling and swiftly negotiate a new framework to support those companies that rely on Privacy Shield for transatlantic data flows. It will also be necessary to secure a transition period for these businesses on both sides of the Atlantic to adjust their operations. The Chamber stands ready to support both governments toward a quick resolution.”

>>Read the European Court of Justice ruling here
>>Read the joint letter to Commerce Secretary Wilbur Ross here
>>Read statement from Commerce Secretary Wilbur Ross here

The Chamber’s Center for Global Regulatory Cooperation prepared the following overview:

  • What’s the case about? Max Schrems, an Austrian privacy activist, brought a lawsuit against Facebook, arguing that Facebook should not be allowed to transfer data from the EU to the United States. He claimed that the intelligence-gathering practices of the U.S. government violate European fundamental human rights and GDPR. Specifically, Schrems’ case attacked a legal tool that almost every company that does business with Europe uses for data transfers called “standard contractual clauses” (“SCCs”). Over the past few years, the case has snaked its way up to the European Court of Justice (i.e., the EU’s Supreme Court) and another data transfer tool, the EU-U.S. Privacy Shield was implicated.
  • How did the Court rule? The Court invalidated Privacy Shield because it found that the United States does not offer the same level of data protection as the EU. This is due to U.S. intelligence gathering practices, which includes access to European personal data. It also upheld SCCs in a general sense but casts doubt on using them to send personal data to the United States for many of the same reasons it invalidated Privacy Shield.
  • What is this case not about? This case is not about Facebook. Nor is it about U.S. companies’ data privacy practices or the need for a U.S. federal privacy law. It is about U.S. government intelligence gathering practices and a problem that haunts GDPR’s data transfer provisions: persistent legal challenges in Europe.
  • Why should we care? The Privacy Shield is used by more than 5,300 companies. Most are American. Over 70% of these are SMEs. Companies often use Privacy Shield to transfer data because other options are too expensive. Consequently, a tool for more inclusive digital trade is in jeopardy. Importantly, the decision casts doubt on most data transfers between the EU and other countries with equivalent or lower standards of civil liberties than the United States, including the United Kingdom, Canada, Brazil, Israel, Turkey, China, Russia, and India.
  • What’s next? The Administration and the European Commission must renegotiate Privacy Shield in a way that addresses the Court’s concerns. European Data Protection Authorities will likely take up the question of SCCs, an issue that will impact much more than the EU-U.S digital relationship.
  • What are we doing? We’re organizing a multi-association coalition to urge a calm and constructive response from the U.S. government and support the Privacy Shield negotiations. We’re closely following developments with regard to SCCs. This will likely be the next shoe to drop, and if it does it will be a much more serious issue for our members.