GUEST COMMENT EU-US Privacy Shield: Why some EU ecommerce retailers may find data privacy protectio
Last October the European Court of Justice (ECJ) declared the Safe Harbour data transfer agreement invalid, ending the 15 year pact that had governed data flows, especially flows of personal data across the Atlantic. The landmark decision came in the wake of revelations by Edward Snowdon about the US National Security Agency’s PRISM spying operation. In the ensuing lawsuit between Austrian privacy campaigner Max Schrems and Facebook, the ECJ ruled the self-certified protections promised by Safe Harbour to be worthless.
Overnight, every US tech company previously covered by Safe Harbour found itself potentially out of compliance with European data protection rules. And the ensuing debate put the spotlight on privacy and consent, and where EU customers of US internet/cloud service providers stood when it came to privacy and consent.
Say hello to ‘EU-US Privacy Shield’
In February 2016 the European Commission unveiled its new deal with the US to concerning transatlantic data flows. The so-called ‘EU-US Privacy Shield’ will replace Safe Harbour and is due to come into force later this year. But US tech companies may not be out of the woods just yet as these new draft arrangements are likely to be challenged almost immediately by civil rights activists, data protection authorities and European courts.
For those that viewed Safe Harbour as an all too convenient ‘loophole’ that simply allowed US companies to by-pass European privacy laws, there’s little sign that this new and improved ‘Safe Harbour 2.0’ will win their approval. Indeed activists, like Max Schrems are already threatening legal action. In the meantime, privacy regulators in some EU member states have already stated their intent to investigate and take action against businesses exporting data overseas. To put it simply, the status of previously certified Safe Harbour companies remains unclear. And these companies will not be able to rely on the EU-US Privacy Shield for data transfers for some time yet.
So, what does all this mean for online merchants and retailers that sell to European consumers?
Data protection compliance – what’s your responsibility?
The elimination of Safe Harbour, and the recent move by the Russian government to prohibit foreign online suppliers processing the personal data of Russian citizens on servers located outside of Russia, has led many multinational online companies like Google and Facebook to set up local data centres across Europe to process personal data.
But response to the data protection issue across the ecommerce industry has been varied. For example, Amazon Web Services (AWS) has signalled that its customers can determine where their customer content is stored, can choose the secured state of customer content in transit or at rest, and deploy AWS services in the locations of their choice in accordance with their specific geographic requirements – including AWS regions in Dublin and Frankfurt.
Others, however, have been less than transparent on guaranteeing that consumer data will only be processed and held within the EU. This has left many European merchants in potential violation of local privacy and data protection laws in EU member states.
One interim workaround suggested by some SaaS suppliers includes implementing a feature in European merchant stores that enables consumers to consent to data transfers to the US – an approach some merchants report has negatively impacted online checkout conversion rates. Some EU lawyers have even disputed whether gaining consent is even legally viable. With the EU-US Privacy Shield agreement still not officially adopted, online merchants and retailers cannot afford to be coy when it comes to asking some hard questions of their providers.
Facing facts – the basics
Online merchants and retailers that rely on SaaS suppliers for their ecommerce store need to understand with absolute clarity if consumer personal data is being stored and processed outside the EU. If this is the case, then they will need to understand who owns responsibility on this issue reflecting applicable law.
But that’s not the only consideration facing online merchants and retailers. Today’s ecommerce systems extend beyond the shop front. A company in Europe may fall foul of EU data protection rules if it uses a US service provider for email marketing, or analytics, or to monitor consumer behaviours on their website to trigger voucher or coupon actions. Until the EU-US Privacy Shield is locked down, retailers may wish to inhibit some of these activities in the interim period.
A word of caution on those big tech firms looking to use instruments such as ‘EU model contract clauses’ and ‘binding corporate rules’ to keep data transfers between the EU/US legal. There’s considerable debate that regulators are likely to find this to be against the spirit of the ECJ’s original ruling on Safe Harbour.
Those European merchants that operate a European on-premise solution can be more confident that their ecommerce platform and web shop delivers full compliance with current EU data legislation. Similarly, working with an EU provider, such as Intershop Communications AG, that offers cloud or managed services that are powered from EU data centres will assure that local data protection environments are catered for.
In some respects, this will generate long term benefits as businesses operating in the EU now need to start preparations for the implementation of the newly agreed EU General Data Protection
Regulation (GDPR) in 2018. The rules of GDPR will apply to both data collectors and data processors.Businesses operating in the EU now need to start preparations for the implementation of the newly agreed EU General Data Protection Regulation (GDPR) in 2018. The rules of GDPR will apply to both data collectors and data processors.
At the end of the day online merchants and retailers serving European customers need to, at the very least, check their responsibility with regard to data protection in each case. Ideally, they should consider local servers to ensure their customers have the legal right to privacy and seek legal advice with regards to applicable law.
Lars Schickner is director of the Innovation Lab at Intershop