EU-US Data Flows at Risk

EU-US Data Flows at Risk

Legal challenges in the European Union to companies’ ability to transfer data from the EU to other countries may make it nearly impossible for companies as diverse as airlines, hotels, car manufacturers, retailers, multinationals, as well as digital platforms like Facebook, to run their businesses. This blog post examines the legal and policy issues and asks for help from IAB member companies to pressure Congress and the Biden Administration to act quickly to protect the free flow of data from the EU to the US.

Across every sector, companies rely on the ability to transfer data across borders in order to run their businesses, manage operations, and both find and serve customers. In the Schrems II decision in July, the Court of Justice of the European Union (CJEU) threw the legal mechanisms that enable those data flows into jeopardy.

Based upon the conclusion that US surveillance laws do not adequately protect Europeans’ privacy, the Court invalidated the EU-US Privacy Shield agreement. This forced thousands of companies across every sector that rely solely on the Privacy Shield to immediately suspend necessary data transfers from the EU to the US.

Even more dire is that the Court introduced tremendous uncertainty into the durability of Standard Contractual Clauses (SCCs), which companies rely on to transfer data even more than they rely on the Privacy Shield. If a European Data Protection Authority (DPA) were to determine that the laws of the country where the data is transferred are inadequate and cannot be supplemented, the DPA can invalidate a company’s SCC and suspend their transfers of personal data to that country.

Following the CJEU’s ruling, the Irish Data Protection Commissioner (IDPC) initiated an inquiry into the validity of Facebook’s SCCs. At the same time, relying on the Court’s justifications for invalidating the Privacy Shield, the IDPC, issued a preliminary decision that US law is inadequate.

If finalized, the IDPC may soon require Facebook to suspend data transfers from the EU to the US.

Why Does This Matter to IAB Member Companies?

The IDPC has made clear that companies across all sectors face immediate risk. The IDPC recently warned that many companies beyond Facebook would face “massive disruptions” to their EU-US transfers if the US does not address the CJEU’s concerns and negotiate a new framework for data transfers.

Recent guidance from the European Data Protection Board reinforces that the IDPC’s approach to enforcement following the CJEU’s ruling both aligns with and is also highly likely to set the precedent for how other DPA’s analyze the lawfulness of EU-US data transfers.

US companies—including the hundreds of IAB members that relied on Privacy Shield and now rely on SCCs—may soon find they can no longer rely on their most-used tool to transfer data from the EU to the US. They may have no viable alternatives

SCCs are a key tool for a wide range of industries, ranging from tech and services, to manufacturing, and even agriculture and construction. Over 85% of companies surveyed by IAPP1 and Digital Europe2 rely on SCCs to export personal data from the EU. 90% of surveyed companies also reported using SCCs for business-to-business sales and service, and almost all the companies confirmed that they rely on SCCs to transfer data to the US.

Without SCCs, companies would be extremely limited in their ability to transfer data out of Europe to the US, creating de facto data localization. Facebook and other major US companies that rely on complex global network infrastructures cannot simply wall off Europeans’ data from everyone else’s data. These systems need to be able to connect and transfer personal data between them, often across borders. And suspending their data transfers also means suspending critical transfers for the small and medium-sized businesses that rely on these companies to find and serve their customers around the world.

But it’s not just tech or tech-reliant companies that will be impacted by the suspension of EU-US data flows. Businesses in every sector rely on transatlantic data flows for basic operations.

If EU-US data flows were suspended:

  • American companies with an EU affiliate could not exchange employee information with the affiliate via a US-based cloud services provider, interfering with payroll, HR, benefits, and compliance operations.
  • US manufacturers of connected devices, such as connected cars and medical equipment, could not sell their products in Europe if they must transfer personal data to US servers or devices.
  • US airlines and hotel chains could not exchange customer information with their EU partners in managing their passenger loyalty programs, or to improve their services or marketing.
  • US retailers could not receive information about customers of stores operated by an EU affiliate to analyze sales trends.

We are finally nearing the other side of this pandemic. Now more than ever, businesses—especially small and medium sized businesses—need certainty that they will be able to continue to transfer data from the EU to the US.

What Should IAB Member Companies Do Now?

Add your voice! There is a real risk that enforcement actions by European DPAs will outpace the US-EU negotiations to replace the Privacy Shield.

The Biden Administration must take whatever steps are necessary to finalize these negotiations and protect EU-US data flows. Sharing your story with the Administration and Congress about how this would impact your company is critical!

Please reach out to me or to the IAB policy team to help us get started.


Brad Weltman
Director, Privacy Policy Engagement
at Facebook