The Big Story: Privacy Shield rollback leads to new complaints over U.S. websites. The recent court decision striking down a transatlantic data transfer deal is already having adverse effects for websites of all sizes. This week, a European privacy group founded by Austrian privacy activist Max Schrems filed complaints with European Union data regulators against 101 websites that use tools like Google Analytics and Facebook Connect.
The complaints came after the Court of Justice of the European Union last month struck down the EU-U.S. Privacy Shield, a transatlantic pact that let U.S. companies process and store European users’ data in America. That case, known as Schrems II, evolved out of Schrems’ 2013 lawsuit following NSA whistleblower Edward Snowden’s revelations of U.S. government surveillance programs. This is the second time that the European Court of Justice has struck down an EU-U.S. data transfer pact as a result of revelations about U.S. government surveillance programs that violate EU privacy protections.
Although Federal Trade Commission Chairman Joseph Simons told a Senate panel earlier this month that U.S. firms must still honor the now-invalidated Privacy Shield framework, the series of complaints filed by Schrems’ organization shows just how difficult it is for many small- and medium-sized companies to continue maintaining standard operations in the EU following the Privacy Shield rollback. And U.S. startups stand to lose the most without clear guidelines in place to help navigate compliance concerns with the bloc’s strict data privacy requirements. While many larger firms implemented individual data transfer agreements—known as Standard Contractual Clauses (SCCs)—outside of Privacy Shield that they can rely on to continue operating within the bounds of EU law, the pact gave startups a streamlined way to ensure compliance while storing, transferring, and handling European users’ data.
Even though Commerce Secretary Wilbur Ross and European Commissioner for Justice Didier Reynders announced last week that they are discussing the framework of a new data transfer pact, the loss of Privacy Shield means that startups are especially vulnerable to additional EU scrutiny. As the recent complaints show, even platforms that rely on standard digital tools—such as Google Analytics and Facebook Connect—can be targeted for not complying with the EU’s data privacy requirements. Policymakers in the EU and U.S. must use the ongoing talks to quickly address the rollback of Privacy Shield in order to lessen the fallout for U.S. startups. And Congress should seriously consider examining and overhauling current U.S. surveillance programs to ensure that U.S. startups can safely operate abroad. If you’re a startup that has been impacted by the decision to strike down Privacy Shield, please contact us here.
Policy Roundup:
Uber and Lyft receive temporary reprieve in California. Ridesharing firms Uber and Lyft avoided having to shut down their services in California after an appellate court issued a temporary reprieve yesterday delaying a court ruling last week that would have required the firms to reclassify their drivers as employees. The decision came after San Francisco Superior Court judge Ethan Schulman ruled last week that the firms must comply with Assembly Bill 5 (AB 5), the state law that requires companies—particularly “gig economy” platforms—to reclassify many of their independent contractors as employees. As we noted earlier this week, AB 5 will have broader implications for startups that lack the resources needed to navigate the law and the new compliance burdens that it creates.
Facebook calls for legislation to address data portability. Facebook filed comments with the Federal Trade Commission today calling for legislation to streamline data portability, a process that allows Internet users to more easily transfer their data across different digital services. The social media company, which filed the comments ahead of the FTC's Sept. 22nd hearing on the issue, said the Access Act—data portability legislation from Sens. Richard Blumenthal (D-Conn.), Mark Warner (D-Va.) and Josh Hawley (R-Mo.)—is a good first step, but also called for regulatory guidance to address concerns about liability and portability. The European Union’s General Data Protection Regulation and California’s privacy law—the California Consumer Protection Act (CCPA)—both include data portability requirements. California Attorney General Xavier Becerra issued the final enforcement regulations for CCPA earlier this week.
White House’s proposed 2021 fiscal year budget includes increases in AI, quantum funding. The Trump administration released a proposal late last week to increase spending for artificial intelligence and quantum technologies by 30 percent in the 2021 non-defense budget. The 2021 fiscal year budget proposal includes $1.5 billion for AI and $699 million for quantum information science, and comes as China and other countries have increased their adoption of emerging technologies.
NIST privacy workshop scheduled for next month. The National Institute of Standards and Technology—which released a privacy framework earlier this year to help businesses better identify and manage privacy risks—announced this week a virtual workshop on Sept. 22-24 about “Growing a Workforce for Managing Privacy Risk” to help gather feedback from stakeholders about the additional steps needed to tackle workforce challenges and realize the framework’s outcomes.
Startup Roundup:
#StartupsEverywhere: Coatesville, Pennsylvania. H20 Connected manufactures wireless-enabled products like LeakAlertor to help property management and hospitality businesses deal with leaking, overflowing, and running toilets. The startup was incubated in Coatesville, Pennsylvania, to utilize the city’s Qualified Opportunity Zone program to help scale their growth moving forward.
