Startups Stand the Most to Lose after Privacy Shield Rollback

TLDR: Europe’s top court last week struck down Privacy Shield, a data transfer pact between the European Union and the United States that allowed U.S. companies to process and store European users’ data in America. The decision, which could have an outsized impact on U.S. startups, stems from U.S. government surveillance programs that European courts have repeatedly found issues with—especially in the wake of the disclosures from former National Security Agency contractor Edward Snowden in 2013. Without the U.S. scaling back its sweeping surveillance programs, however, it’s unlikely that the EU and U.S. will be able to agree on a new framework to replace Privacy Shield—something that growing startups need to reach potential users across Europe. 

What’s Happening This Week: Startups and tech companies are reevaluating their overseas business operations after the European Court of Justice last week struck down the EU-U.S. Privacy Shield. As Secretary of State Mike Pompeo said in a press statement on Friday, the decision will affect “more than 5,300 European and U.S. companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions.”

The court decision in Schrems II—which evolved out of Austrian privacy activist Max Schrems’ 2013 lawsuit over disclosures about U.S. government surveillance by former NSA Edward Snowden—creates uncertainty for American and European companies that rely on the flow of data between Europe and the United States to effectively operate. The EU’s top court said in its decision that the United States’ existing data privacy protections are too weak for EU-based users, and could potentially allow their data to be intercepted or swept up by U.S. government intelligence agencies. This is the second time this decade that the court has ruled that EU privacy laws conflict with U.S. surveillance programs—the first being the Schrems I case that struck down the last agreement, the Safe Harbor, and led to the creation of the Privacy Shield framework in 2016. 

This decision could have an outsized impact on small and new startups. These smaller firms often do not have individual data transfer agreements with EU countries—known as Standard Contractual Clauses (SCCs)—that many larger companies can negotiate and use to help mitigate many data transfer issues. Instead, startups and other small companies relied on Privacy Shield to provide a streamlined framework for handling European users’ data. Unless Congress addresses the EU’s concerns about U.S. surveillance programs, it’s unlikely that the two governing bodies will be able to work out an unimpeachable data transfer framework. 

Why it Matters to Startups:  Without an effective framework—like Privacy Shield—for complying with the European Union’s data privacy requirements, U.S. startups will be forced to either abandon European markets, or find alternative ways to process and store European users’ data that comply with the EU’s legal requirements. To ensure U.S. startups’ ability to scale and compete globally, Congress must address the deficiencies in current U.S. privacy protections, including passing a comprehensive consumer privacy law and reining in surveillance programs that put transatlantic data at risk. 

The App Association noted that almost 70 percent of the companies that use Privacy Shield are small- to medium-sized companies. Since larger companies also have SCCs with EU countries, the decision to strike down Privacy Shield will have less of an immediate impact on their operations. This means that larger firms are likely to expand on their footholds across the EU, while startups and other small firms hoping to scale across Europe will have to contend with a more legally complicated landscape.

U.S. government surveillance programs—such as those allowed under Section 702 of the Foreign Intelligence Surveillance Act—give intelligence officials wide-ranging access to digital communications. Even with Congress and the National Security Agency taking steps in recent years to limit the scope of these surveillance activities, the sweeping ability for the U.S. government to acquire data conflicts with the EU’s data privacy protections. 

Engine previously noted that startups are concerned about Section 702 surveillance programs because of the impact they could have on transatlantic deals with the European Union, such as Privacy Shield. But if Congress does not address the underlying concern of European policymakers—that privacy protections in the U.S. fail to meet the standard set by those in the European Union—then it is likely that subsequent EU-U.S. data transfer pacts will meet similar fates as Privacy Shield and the Safe Harbor before it. Simply renegotiating a new pact will not solve these concerns. Instead, U.S. policymakers should address the EU’s underlying concerns about privacy protections in the United States. Startups that want to reach a global audience need the ability to operate in Europe long-term. 

If you’re a startup that has been impacted by the decision to strike down Privacy Shield, please contact us here. 

On the Horizon.

• The House Small Business Committee is holding a hearing at 1 p.m. tomorrow to discuss the U.S. Small Business Administration’s technology systems and the issues that small businesses and lenders faced when applying for economic relief. 

• The Senate Small Business Committee is holding a hearing at 10 a.m. on Thursday to discuss capital access for minority small business owners amid the COVID-19 pandemic. 

• The Senate Commerce Subcommittee on Communications, Technology, Innovation, and the Internet is holding a hearing at 10 a.m. on Thursday to discuss the state of U.S. spectrum policy.