The European Court of Justice (“ECJ”) has today delivered its verdict on a long-running case between Facebook Ireland and Max Schrems, an Austrian lawyer and privacy activist. For many businesses that transfer personal data from the EU to the USA, and indeed to many other jurisdictions outside the EU, this decision has fundamental impact.
Validity of Privacy Shield
The court decided that the EU–US Privacy Shield (“Privacy Shield”) was no longer valid, on the basis that the US regulatory regime does not adequately protect EU citizens’ data rights. US legislation allows US government agencies to have access to EU personal data, for example, when running surveillance programs. The court found that the USA offered inadequate protection of EU citizens’ rights, and no effective rights or legal remedy in the USA. Crikey! Any businesses relying on the Privacy Shield should look at their situation urgently, and decide how best to manage transfers from the UK/EU to the USA.
Validity of SCCs
The court also considered the validity of the EU’s standard contractual clauses (“SCCs”) for transfers of EU personal data outside the EU and made the following findings:
- The SCCs were valid, but it was for the parties transferring the personal data to assess the adequacy of the regulatory regime in the non-EU jurisdiction (in particular, the recipient organisation must tell the data exporter whether the local laws allow it to comply with the SCCs!).
- If the guarantees contained within the SCCs were not upheld, data protection regulators like the UK’s Information Commissioner’s Office (“ICO”) should suspend the data transfers that rely on them.
Gulp! Businesses using the SCCs need to conduct a review of the local regulatory regime wherever they (or indeed their sub-contractors or their sub-contractor’s sub-contractors…) are processing their personal data.
This, of course, is not an easy task: European regulators take years to assess whether a country’s data protection regime is adequate!
If the court saw fit to invalidate the Privacy Shield on the grounds that the US regulatory regime offered inadequate protection, does that mean that any analysis of the US regime for the purposes of using the SCCs fails, too?
The Irish Data Protection Commission is certainly looking to explore that question. In its reaction to the court’s decision, it stated, “the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” The Hamburg Data Protection Commissioner has also offered many helpful observations.
However, it may take time to get a definitive answer: so far, we haven’t seen any guidance from the European Data Protection Board, and the ICO has only issued a preliminary holding statement.
The court kindly pointed out that there are other mechanisms for international transfers (such as where they are necessary for a contract, or based on the consent of each individual, etc.), but that is little help to businesses conducting large-scale, ongoing or regular transfers of personal data, or where consent simply isn’t practical (especially given that obtaining consent that complies with the General Data Protection Regulation (“GDPR”) is itself a tricky task).
The ECJ’s verdict is not unexpected, especially given ongoing criticism of the Privacy Shield by various EU bodies in recent months.
However, it is, of course, disappointing for the European Commission, who have to start again to find a new solution; for the affected US companies themselves; and for all those organisations who rely on services or business involving the USA.
So, what next? Well, before panic sets in, remember that we have been here before. Back in 2015, Max Schrems’ earlier legal challenge against Facebook Ireland led to the invalidation of the previous EU–US Safe Harbor Framework (the predecessor to the Privacy Shield). It wasn’t the end of the world then, and it is unlikely to be now.
In 2015, EU regulators were sympathetic in the aftermath of the decision, and gave organisations some time to put in place other compliance measures (mostly the SCCs). Almost immediately, work also began to craft a new EU–US-compliant mechanism, which evolved into the Privacy Shield. It is likely that similar approaches will follow over the coming months.
What is clear is that a better mechanism will be needed this time around, to avoid more legal challenge and uncertainty for businesses. It is likely that most organisations will now turn to SCCs for, at the very least, an interim solution.
However, those SCCs are not in great shape: they have yet to be updated for the GDPR and there are countless other issues with them, given how dated they are. New versions have been worked on for some time, so what next? Wait for new SCCs to be published (but risk non-compliance in the meantime) or scrabble around to put new terms in place ASAP, knowing they will need to be changed again before long? It’s not an easy decision to make!
Alternatives to SCCs
Organisations must bear in mind that they will now be expected to consider whether the data protection regime adequately protects the data rights of EU individuals in the USA, or any other jurisdiction outside the European Economic Area (“EEA”) with no adequacy decision, for that matter.
And let’s remember: the UK comes out of the Brexit transition period on 1 January 2021. Businesses need to keep an eye on whether the EU will decide if the UK is an adequate jurisdiction – and therefore whether the EU will enable free flows of personal data to the UK. As part of those developments, we will all need to monitor how UK data protection law evolves, once the UK has worked out how to “take back control” and retain a data protection regime that is sufficiently similar to the EU to enable businesses to continue free flows of personal data!
Now could be a good time to consider some alternatives to SCCs:
- We’ve already received approaches in relation to whether binding corporate rules (“BCRs”) are the new golden ticket and need serious consideration now. We wonder whether BCRs will be worth the effort, though, if the USA can’t offer adequate protection to EU citizens without some serious changes to their regime.
- What extra safeguards can you put in place in addition to the SCCs? Are there ways to bolster the SCCs themselves by adding clauses that go above and beyond the base set of provisions? Is there a way to limit the personal data being processed in the USA? Suppliers will make offers – as quickly as the day of the ECJ’s verdict even – to offer fully contained EU data solutions that don’t depend on transfer to the USA at all.
- Remember that there are other ways to transfer data internationally – particularly if you only send personal data occasionally or it’s for a specific contract with the individual (like a foreign hotel booking).
Sadly, it’s time to pull the contracts out of the drawer – again.
We understand that there will be a lot of uncertainty in light of the judgment, so if you need any advice about your organisation’s approach to transferring personal data to and from the USA, or indeed other jurisdictions outside the EU, please don’t hesitate to contact us at Pritchetts for advice on next steps.