As we all know, online privacy, the security of user data, and the use which that data is put to have become significant issues at this stage of the evolution of our digital environment. As part of efforts to address those concerns, the EU passed the GDPR (General Data Protection Regulation) in 2018, which governed the use and treatment of the personal data of EU citizens, including the “right to be forgotten.”

However, the passing of these regulations presented an obstacle for the global digital corporations (like Google and Facebook) who operate over the majority of the world, and who transfer data between those operations, and notably to their country of origin, the USA, where data protection regulation was generally not comparable.

In order to circumvent this, an agreement known as the EU-US Privacy Shield was drawn up and accepted by the EU in order to allow companies to continue transferring data to the US.

Privacy Shield Ruled Invalid

In a landmark decision in July 2020 though, the EU Court of Justice struck down the Privacy Shield on the basis that US laws did not adequately ensure protection of EU citizens personal data, and technically ended the access of US companies to that data.

The Privacy Shield was challenged by a digital rights group, who found through a survey of 33 companies, (mostly American) that the firms compliance with EU restrictions on trans-Atlantic data transfers was extremely poor.

Max Schrems, whose group conducted the survey, found that a routine request regarding how a users data is handled drew responses that went from none, to misleading. “The responses ranged from detailed explanations, to admissions that these companies have no clue what is happening, to shockingly aggressive denials of the law,” he said.

Facebook May Leave Europe

As a result of these new regulations, Facebook has said that it may be necessary to stop operating its main platform, as well as Instagram, in Europe, where it claims 410 million active monthly users. (Equal to the total population of the 5 most populous European countries combined, out of interest.)

The company has lodged a challenge to the preliminary order issued by the Data Protection Commissioner of Ireland (where they are technically headquartered for tax purposes), which threatened to block any transfer of data back to the US, because of various privacy concerns including the possibility of US government surveillance of such data.

Their affidavit pointed out that should they be blocked from carrying out such data transfers, they did not see how they would be able to maintain operations. A company spokesperson also denied that their statement was a threat to withdraw from the EU however, saying that it was a simple business reality that this would be the result of the passing of said laws.

A Changing Privacy Landscape

With the recent promulgation of the POPI Act here in South Africa, and with companies given 12 months from July 1st 2020 to become fully compliant with it, data protection and privacy are becoming a more important consideration for doing business online than ever before.