EU restricts personal data transfers to the US

If you don’t live in the EU, and don’t run a globally-targeted website, you may be forgiven for not being familiar with GDPR — the General Data Protection Regulation of the EU. If you do live in the EU, then you’ll be intimately familiar with the endless “agreeing” you have to do to various cookie and privacy policies when you go to a website. In fact, you’ll still occasionally find websites that are blocked in the EU, because they’re from large corporations that haven’t yet implemented the GDPR requirements (requirements around anonymization of data collected, the ability to collect personal data for only a handful of legitimate reasons, and in the event you consent to your personal data being collected, the ability to withdraw that consent at any time). Because US and EU laws around privacy are different, a political framework called the EU–US Privacy Shield, was put in place to allow digital commerce to still function across the Atlantic in a fairly reasonable way. But the fact of the matter is, the US has far weaker privacy protections than the EU, so the most the agreement could state was that EU residents have the ability to access their data, and to dispute resolution. The EU’s highest court just ruled that both in general terms, and in particular in light of what is known about US intelligence agency behavior after the Snowden leaks, this is nowhere near sufficient. Likely, this won’t have an immediate impact, other than large companies (like Facebook) slightly changing their consent forms. However, as individual EU member states start to enact legislation around the decision, it could have far-reaching impact on companies like Facebook and Shopify. The long-term play from the EU is fairly clearly to get companies to build datacenters in the EU, and treat data differently there than in the US. To be honest, this is probably a better bet than the EU’s attempt to build their own data infrastructure. However, this is going to be met with resistance. The US has no intention of re-writing their data-protection laws to prevent US spy agencies from gathering information on EU residents.

Posted in Global Business, Newsletter and tagged , .

Chris Richardson has strong opinions on just about everything. Just ask.