Privacy Shield Ruled Invalid by European Court of Justice
Just as the negotiations on a post Brexit trade deal with the EU are on a knife edge the European Court of Justice makes a ruling on data protection that may make things a good deal more difficult.
The ruling is that the Privacy Shield framework, a pact agreed between the US and EU in 2016 to facilitate data transfers between the EU and the US is invalid on the basis that it does not give EU citizens adequate protection against US government snooping.
The decision scuppers a data transfer regime relied on by thousands on US companies and is a concern in so far as it calls into question the ability of multinational companies to transfer data from the EU to the US, potentially under any mechanism.
The decision is another victory for long time privacy campaigner Max Schrems. A recap on the history of this long running battle is useful as serious thought is given to where we can go from here.
In 2013, Edward Snowdon a 30 year old Central Intelligence Agency employee had disclosed the mass surveillance practices that were carried out by the US National Security Agency NSA. The disclosures caused a political storm, prompted a cultural discussion about national security and individual privacy and also led to serious personal consequences for Snowdon. Snowdon escaped to Russia to avoid criminal prosecution where he was granted political asylum. Meanwhile, in Austria Max Schrems a 23 year old law student concerned as to what this meant for his own privacy started a court action claiming that his privacy rights were not being upheld by Facebook. The Austrian Court referred the case to the courts of the Republic of Ireland as Facebook’s headquarters were based there and the courts in the Republic of Ireland referred the case to the European Court of Justice. Having made its way to the highest authority in the EU, the heart of the problem that the court was left to grapple with is whether the US can be trusted with the data of a EU citizen. The US does not have a comparable data protection regime to the EU’s General Data Protection Regulation “GDPR” which affords an individual a significant and real measure of control over their data including the right to know what use is being of your own data and rights to prevent it being passed on to any third party without your knowledge or consent.
The US privacy framework at the time of the case (2015 by then) relied on a solution known as Safe Harbour which defined a set of principles against which a US company could self certify its compliance. The European Court of Justice now came to examine the issue, aware that many of the companies involved in the surveillance which had been revealed by Snowdon had self certified themselves under the Safe Harbour principles. It held that the Safe Harbour principles did not provide adequate privacy protection. Six month’s later the European Commission and the US government agreed a new framework for EU US data transfer whereby the protections around how data would be processed and used would be equivalent to the protection afforded by EU law. It named this new framework the Privacy Shield.
It is this Privacy Shield that has now been found to be wanting as failing to guarantee data will not be passed to US government agencies. It’s a blow to the many thousand of US companies that rely on it as a simple mechanism under which they may transfer data from the EU to the US.
The decision does not change the fact that businesses can rely on standard terms and conditions agreed between the party transferring the data and the party receiving the data which set out provision comparable to the GDPR. Referred to as Standard Contractual Clauses (‘SCC’) for now at least companies can use this mechanism to ensure their data transfers are legal. However agreeing SCC’s is a costly and bureaucratic exercise with companies forced to negotiate and sign thousands of new contracts to keep themselves legal. Even with the help of slick IT this type of exercise can present a barrier to start ups and small businesses who lack the resources of the tech giants.
All US businesses including the tech giants with all their resources should however still be concerned about this decision for other reasons. The first is that the judgment of the European Court requires a business exporting data to the US to prove before transferring the data that the data will be afforded the same level of protection as within the EU and it is far form clear how a business can do this. Secondly EU data protection authorities are specifically encouraged in the judgment to investigate and suspend SCC’s used to transfer data where they believe standards are not being met.
Right now without a clear workable framework and agreement as to how transfer of data from the EU to the US can be made businesses face uncertainty that could hamper their ability to do business and grow. As we deal with the dual economic challenges of a pandemic and Brexit we need to find urgent solutions to avoid data transfer issues adding to the challenge and slowing our recovery.
For more information on data protection and how we can help make your business compliant to take advantage of the many business opportunities available Briffa offers free 30-minute consultations to all new clients. If you would like to book a call or a meeting with one of our specialist IP lawyers, please contact [email protected] or 020 7288 6003.
Written by Margaret Briffa, solicitor