US Companies need to look to the Old World

Two court rulings made in July 2020 may prove to be among the most important legal precedents that American tech companies will ever have had to come to grips with. What is particularly interesting about these two decisions is that they were not made by the Supreme Court of the United States, or indeed by an American federal or state court of any description. Both of the judgements were made thousands of miles (or, perhaps, ‘kilometres’ would be more appropriate) away in Europe by courts of the EU.

The first of the two cases (Judgment in Cases T-778/16, Ireland v Commission, and T-892/16, Apple Sales International and Apple Operations Europe v Commission), related to alleged tax evasion. Tech giant Apple had objected to and was ultimately spared a €13 billion tax bill that the European Union had claimed was due to the Republic of Ireland. 

Ireland’s corporate tax rates

The European Commission commenced its action after alleging that Ireland had allowed Apple to attribute nearly all its European Union earnings to a head office in Ireland that existed only on paper, the goal of said practice being to avoid paying tax on EU revenues. The commission was of the opinion that this amounted to illegal aid given to Apple Inc by the Irish state.

Ireland maintained that Apple should not have to repay the back taxes, arguing that its loss was proportionate to the need to make the country an attractive base for business.

The Republic of Ireland, which boasts one of the lowest corporate tax rates in the entire EU, is currently Apple’s base for Europe, Africa, and the Middle East.

GDPR: European Representative Office

Ireland has already proven to be a popular location for non-EU businesses to locate their European Representative Office (which is a requirement of the GDPR). Tiktok, for example,  announced that it was moving responsibility for safeguarding the privacy of its European users to its Irish and UK entities, with its trust and safety hub to be located in Dublin.

There are a number of reasons for this trend. Brexit means that the UK can no longer provide a representative office for EU matters, and as a consequence that Ireland and Malta are the only English-speaking nations that remain in the bloc. Additionally, Ireland has the added advantages of a dynamic young IT-skilled workforce, a Common Law legal system and attractive corporation tax rates. The judgement in the Apple case affirms Ireland’s right to offer such rates.

Although Apple is of course one of the world’s leading tech giants, the case at hand relates more to taxation than the practices of the tech industry in particular. The second notable case, however, does just that. In a decision which is potentially far-reaching, Europe’s highest court took aim at a central pillar of US tech’s business model: data storage and flows.

Data-sharing pact voided

In a judgement published on the 16th July 2020, the European Court of Justice (ECJ) ruled that organisations moving personal user data from the European Union to other jurisdictions are obliged to provide the same protections as are guaranteed inside the bloc.

The ruling (Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) could affect how companies transmit European users’ data to non-EU countries.

The case began in 2013, when the Austrian privacy campaigner Max Schrems filed a complaint with the Irish Data Protection Commissioner. Mr Schrems argued that, following Edward Snowden’s revelations, American law did not provide adequate protection against surveillance by public authorities.

Schrrems’ complaint was raised against Facebook which, among other firms, was transferring his data (and that of millions of other users) to the United States.

In 2015 the ECJ ruled that the Safe Harbour Agreement, which was in force at that time and allowed European users’ data to be moved to America, was invalid and failed to adequately protect EU citizens.

Consequently, businesses active in the European Union swapped to Standard Contractual Clauses (SCCs), which ensured that they could continue to move data across the Atlantic. At the same time, the EU and the USA made a new agreement, the Privacy Shield framework, which replaced the Safe Harbour agreement.

The ECJ’s ruling confirmed that the SCCs were an acceptable manner in which to transfer data, but declared the use of the Privacy Shield framework as invalid. 

In layman’s terms, this means that countries outside of the EU’s 27 member states, or those companies which seek to move European users’ data abroad, must guarantee an equivalent level of protection to the EU’s data laws. This may prove to be a huge burden for multinationals.

Significantly, the ruling cannot be appealed. It is the final judgement on the case. The ECJ’s interpretation must now be applied by the referring court and any others in Europe which find themselves facing the same situation.

What does this change for big companies?

Companies must now endeavour to assemble legal teams and build data centers capable of complying with the court’s decision. Huge sums of money will be spent on pre-built solutions or cloud providers that can provide a smooth transition to the new legal reality. 

This, however, is the easy part. All non-European companies now have to obtain a comprehensive understanding of the political, judicial and social realities of the EU states where they do business. US based companies need to demonstrate to Europeans that their custom is not taken for granted.

Europe is no longer a secondary priority

The significance of the European market means that when the European Union defines rules for itself, many other economies have little choice but to conform with them. Facing multiple regulatory systems, the average company will opt to work towards that which requires the highest standard and in recent years and in most sectors, that has been the EU. This is a perfectly rational position to take given that in meeting the high standards demanded by Europe, a company’s products or services will almost certainly be deemed satisfactory under the less stringent rules and conditions of other parts of the world. This has been evident in a number of sectors for several years now. The General Data Protection Regulation (GDPR) of 2018 and the judgement in Schrems’ case have similarly increased the European Union’s global influence when it comes to dealing with personal data.

It has been suggested that this is a deliberate policy of Europe in order to increase its global influence. The term ‘The Brussels Effect’ was coined by Professor Anu Bradford of Columbia Law School who recognised the trend and called it after the similar “California effect” that had earlier been observed when it came to state laws within the United States. 

This ‘effect’ is perhaps particularly significant in the tech industry. Given the very nature of data transfer in the 21st century geographical borders have been eroded, but legal jurisdiction has not. Presently the EU appears to be dictating the standards required internationally. The introduction of the GDPR illustrated the situation perfectly. The new regulations guaranteed EU citizens broad powers over how their own personal data could be used. This is clearly beneficial and welcome for the individual, and overall, the regulation is positively viewed. Nonetheless, GDPR presents non-EU nations with a dilemma: they must modify their own domestic law to conform with the EU’s new policies, or risk of being frozen out of a market with a €15 trillion economy and over 500 million wealthy consumers.

What do American companies need to do?

American companies have underestimated Europe for many years, when it comes to recognising how the international market is affected by the bloc’s different views on data protection, trade, and taxation among other issues. On multiple levels, the European Union is making it perfectly clear that it no longer accepts a reality where American based companies assume that they are entitled to operate in Europe in the same manner as they do at home. 

The scale of the GDPR has led to it being seen as the first major piece of what is expected to be a new wave of data privacy and protection laws. As mentioned above, the nature of data collection in the 21st century means that the GDPR has world-wide reach. Moreover, many industry specialists believe that GDPR is rapidly becoming the blueprint for data protection laws globally. 

As of yet, there is no comprehensive federal data protection law applicable in the USA. Some of the states have, however, introduced their own at that level. Most significantly, the California Consumer Privacy Act (or “CCPA”) came into effect on July the 1st, 2020. It seems quite apparent that the lawmakers who drafted the California Act used the GDPR as their template.

 

California based companies which acted immediately to ensure their GDPR compliance in 2018 now find that they have already put the vast majority of procedures required by the CCPA in place. This will likely continue to prove to be the trend across the US as states introduce their own legislation, and ultimately, a federal data protection law is enacted.

 

About Eoin Campbell 21 Articles
Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection.