The European Court of Justice (“ECJ”) has today
delivered its verdict
on a long-running case
between Facebook Ireland and Max Schrems, an Austrian lawyer and privacy
activist. For many businesses that transfer personal data from the EU to the USA,
and indeed to many other jurisdictions outside the EU, this decision has
fundamental impact.
Validity of Privacy Shield
The court decided that the EU–US Privacy Shield (“Privacy
Shield”) was no longer valid, on the basis that the US regulatory regime
does not adequately protect EU citizens’ data rights. US legislation allows US government
agencies to have access to EU personal data, for example, when running
surveillance programs. The court found that the USA offered inadequate
protection of EU citizens’ rights, and no effective rights or legal remedy in
the USA. Crikey! Any businesses relying on the Privacy Shield should look at
their situation urgently, and decide how best to manage transfers from the
UK/EU to the USA.
Validity of SCCs
The court also considered the validity of the EU’s standard contractual
clauses (“SCCs”) for transfers of EU personal data outside the EU and made
the following findings:- The SCCs were valid, but it was for the parties transferring the personal data to assess the adequacy of the regulatory regime in the non-EU jurisdiction (in particular, the recipient organisation must tell the data exporter whether the local laws allow it to comply with the SCCs!).
- If the guarantees contained within the SCCs were not upheld, data protection regulators like the UK’s Information Commissioner’s Office (“ICO”) should suspend the data transfers that rely on them.
This, of course, is not an easy task: European regulators take years to assess whether a country’s data protection regime is adequate!
Concerns
If the court saw fit to invalidate the Privacy Shield on the
grounds that the US regulatory regime offered inadequate protection, does that
mean that any analysis of the US regime for the purposes of using the SCCs fails,
too?
The Irish Data
Protection Commission is certainly looking to explore that question. In its reaction to the court’s decision, it
stated, “the application of the SCCs transfer mechanism to transfers of
personal data to the United States is now questionable.” The Hamburg Data Protection Commissioner has also offered many helpful observations.
However, it may take time to get a definitive answer: so far, we haven’t seen any guidance from the European Data Protection Board, and the ICO has only issued a preliminary holding statement.
The court kindly pointed out that there are other mechanisms for international transfers (such as where they are necessary for a contract, or based on the consent of each individual, etc.), but that is little help to businesses conducting large-scale, ongoing or regular transfers of personal data, or where consent simply isn’t practical (especially given that obtaining consent that complies with the General Data Protection Regulation (“GDPR”) is itself a tricky task).
However, it may take time to get a definitive answer: so far, we haven’t seen any guidance from the European Data Protection Board, and the ICO has only issued a preliminary holding statement.
The court kindly pointed out that there are other mechanisms for international transfers (such as where they are necessary for a contract, or based on the consent of each individual, etc.), but that is little help to businesses conducting large-scale, ongoing or regular transfers of personal data, or where consent simply isn’t practical (especially given that obtaining consent that complies with the General Data Protection Regulation (“GDPR”) is itself a tricky task).
Our thoughts
The ECJ’s verdict is not unexpected,
especially given ongoing criticism of the Privacy Shield by various EU bodies
in recent months.
However, it is, of course, disappointing for
the European Commission, who have to start again to find a new solution; for the
affected US companies themselves; and for all those organisations who rely on
services or business involving the USA.
So, what next? Well, before panic sets in, remember that we
have been here before. Back in 2015, Max Schrems’ earlier legal
challenge against Facebook Ireland led to the invalidation of the previous
EU–US Safe Harbor Framework (the predecessor to the Privacy Shield). It wasn’t
the end of the world then, and it is unlikely to be now.
In 2015, EU regulators were sympathetic in
the aftermath of the decision, and gave organisations some time to put in place
other compliance measures (mostly the SCCs). Almost immediately, work also began
to craft a new EU–US-compliant mechanism, which evolved into the Privacy Shield.
It is likely that similar approaches will follow over the coming months.
What is clear is that a better mechanism will
be needed this time around, to avoid more legal challenge and uncertainty for
businesses. It is likely that most organisations will now turn to SCCs for, at
the very least, an interim solution.
However, those SCCs are not in great shape: they
have yet to be updated for the GDPR and there are countless other issues with
them, given how dated they are. New versions have been worked on for some time,
so what next? Wait for new SCCs to be published (but risk non-compliance in the
meantime) or scrabble around to put new terms in place ASAP, knowing they will
need to be changed again before long? It’s not an easy decision to make!
Alternatives
to SCCs
Organisations must bear in mind that they
will now be expected to consider whether the data protection regime adequately
protects the data rights of EU individuals in the USA, or any other
jurisdiction outside the European Economic Area (“EEA”) with no adequacy decision, for that matter.And let’s remember: the UK comes out of the Brexit transition period on 1 January 2021. Businesses need to keep an eye on whether the EU will decide if the UK is an adequate jurisdiction – and therefore whether the EU will enable free flows of personal data to the UK. As part of those developments, we will all need to monitor how UK data protection law evolves, once the UK has worked out how to “take back control” and retain a data protection regime that is sufficiently similar to the EU to enable businesses to continue free flows of personal data!
Now could be a good time to consider some alternatives to SCCs:
- We’ve already received approaches in relation to whether binding corporate rules (“BCRs”) are the new golden ticket and need serious consideration now. We wonder whether BCRs will be worth the effort, though, if the USA can’t offer adequate protection to EU citizens without some serious changes to their regime.
- What extra safeguards can you put in place in addition to the SCCs? Are there ways to bolster the SCCs themselves by adding clauses that go above and beyond the base set of provisions? Is there a way to limit the personal data being processed in the USA? Suppliers will make offers – as quickly as the day of the ECJ’s verdict even – to offer fully contained EU data solutions that don’t depend on transfer to the USA at all.
- Remember that there are other ways to transfer data internationally – particularly if you only send personal data occasionally or it’s for a specific contract with the individual (like a foreign hotel booking).
Next steps
Sadly, it’s time to pull the contracts out of the drawer – again.
We understand that there will be a lot of uncertainty in light of the
judgment, so if you need any advice about your organisation’s approach to
transferring personal data to and from the USA, or indeed other jurisdictions
outside the EU, please don’t hesitate to contact us at Pritchetts
for advice on next steps.
No comments:
Post a comment