(Guillaume Périgois/ Unsplash)
Last week the Court of Justice of the European Union (CJEU) struck down a key data-sharing agreement between the United States and European Union, with possible implications for U.S. blockchain companies that serve EU customers.
The 2016 agreement, known as the , lets American companies self-certify they are complying with data privacy laws, like the General Data Protection Act (GDPR). GDPR gives end users greater control over data held by companies like Google and Facebook.
Steven Blickensderfer, a technology and privacy lawyer at the firm Carlton Fields, said the decision dramatically alters how companies can process data and impacts not just the U.S., but other countries with robust surveillance like China and Russia.
“The court’s imploring data protection authorities in Europe to no longer sit idly by while illegal transfers of data are taking place,” he said. “The court has called the data protections supervisor to action.”
Companies handling a European’s personal data are supposed to share only that data with entities in countries that have similar protections. The U.S. lacks strong federal privacy legislation, and has a long history of security agencies like the National Security Agency secretly surveilling vast swathes of personal data, under legally When a person in the EU uses a service like Facebook or Google, they are sending their data outside of the EU.
Over 5,000 U.S. companies were certified under the Privacy Shield deal, meaning they may now have to take extensive steps to figure out how to protect EU customers data, and comply with GDPR in other ways. This is a challenge for smaller-sized companies, said Blickensderfer, considering the measures needed to account for data and the number of third parties involved.
One alternative is to make sure users give informed consent, so their data is processed in the U.S. and personal data may be used for commercial purposes. But, said Blickensderfer, it’s doubtful that existing terms of service cover that. Another options is reviewing the standard contract language, making more explicit how, for example, the U.S. government may access data.
Prominent cryptocurrency exchange Coinbase was certified under the Privacy Shield. When asked what the impact on their EU customers might be and what exchanges and blockchain companies should be looking to as an alternative, it said nothing had changed for now.
“We have been monitoring developments regarding the EU/US Privacy Shield closely and, in light of the CJEU’s recent decision, we will continue to use approved data transfer mechanisms…to ensure Coinbase provides services to customers in the EU without interruption,” said a Coinbase spokesperson.