Data security in digital commerce: EU-US Privacy Shield holds up

Stefano Viani


13 Feb 2018 Law Digital Agency

There are hardly any physical borders that can still restrict expanding online trade. However, legal differences persist between increasingly interconnected nations and companies that can be a hindrance to the development of global e-commerce: For example, on November 22, 2017, the General Courts of the European Court of Justice rejected a challenge to the EU-US Privacy Shield regulating transatlantic data sharing. This ruling was made at the European level and is relevant for companies from all over Europe involved in digital commerce, because the issue of data protection cannot be ignored when managing customer data.

The EU-US Privacy Shield is the successor to the Safe Harbor agreement, which formed the legal basis for personal data transfers between the EU and the USA until 2015. As explained in our detailed overview on the topic of international data protection, strict data protection principles apply within Europe that must also be observed when transferring data to third countries - even if they are not bound by the EU's data protection requirements. This becomes a problem when a third country such as the USA falls short of European data regulations and is considered "unsafe". Since 2016, the EU-US Privacy Shield has protected the personal data of European citizens that is securely transferred to U.S. companies as a result - which could be the case when using U.S. software, for example.

The significance of the EU-US Privacy Shield for digital commerce.

As the legal basis for the storage and processing of personal data from Europe in the U.S., the EU-US Privacy Shield is very important for the digital economy: many of the big players such as Google, Facebook & Co. are originators of the intensive, transatlantic data traffic - around whose platforms and tools European companies cannot get around. "The EU Privacy Shield, which is immensely important for transatlantic data traffic, is thus secured in its existence for the time being," comments Michael Neuber, lawyer and head of policy and regulation at the Bundesverband Digitale Wirtschaft (BVDW) e.V., on the averting of the action before the General Court. The court denied the Irish organization Digital Rights the right to file an application, as it was neither a natural person nor personal data of the organization itself was affected - the data protection shield therefore continues to exist. With the continued existence of the status quo under data protection law, European companies can breathe a sigh of relief: for the time being, a complete revision of the current legal situation and the associated restructuring will not be necessary.

What companies need to bear in mind when transferring data

Nevertheless, the issue of data protection is unavoidable for companies. Countless and increasingly powerful tools enable a better understanding of potential and existing customers: The collected data can be used to optimize the marketing strategy, the online store and the sales processes. However, it is important that these personal snippets of information are handled carefully. A transatlantic data transfer should only be carried out with companies that are certified by the EU-US Privacy Shield. This is because, as described in our article, data processed in the U.S., for example, must be handled in accordance with European data protection regulations. In addition, companies should inform themselves about the use of EU standard contractual clauses and Binding Corporate Rules and consider them as an additional measure to the EU-US Privacy Shield. These clauses provide legal cover for permissible data transfers to other "unsafe third countries."

For the time being, the data protection shield holds: companies that send data to the U.S. for further processing, following the rules of the EU-US Privacy Shield, need not fear acute legal uncertainty. The extent to which the legal "limits" will restrict e-commerce in the future and ensure data protection for European users is not yet foreseeable. As an agency for digital commerce, we point out the importance of data protection measures and relevant legal decisions that can have an enormous impact on German companies and business processes. However, since we cannot and are not permitted to provide legal advice, we recommend that you seek the advice of a specialist lawyer on the subject of data protection.

About the Author

As Executive Director of Blackbit digital Commerce GmbH, Stefano Viani manages all areas of the agency in the offices in Göttingen, Hamburg, Berlin and Kiev. His passion is the development of marketing strategies and their implementation in concrete measures.

In his free time, Stefano is passionate about riding his motorbike or working out in the gym.