In a major case surrounding data privacy, Europe's top court has invalidated the "Privacy Shield," an EU-US. framework used to transfer personal data across the Atlantic.
The ruling came in a clash between Facebook and Austrian privacy activist Max Schrems, who has has challenged the tech giant's handling of EU citizens' data ever since Edward Snowden's spying revelations in 2013.
While the ruling does not mean an immediate halt to all data transfers outside the EU - the court upheld the validity of "Standard Contractual Clauses" to processors established in third countries - scrutiny over data transfers will be ramped up. The EU and US may also have to find a new system that guarantees that Europeans' data is afforded the same privacy protection in the US as it is in the EU.
Julian David CEO of techUK said: “Today’s ruling will create a significant amount of uncertainty particularly for smaller US, UK and EU firms.
Now is the time for cool heads on both sides of the Atlantic. The focus now must be on providing certainty in the near term through a grace period and quickly returning to the negotiating table to build a durable and sustainable solution, creating a dependable regulatory environment for the transfer of data that can support business, innovation and trade”.
This is the second time a data sharing regime between the EU and the US has been struck down by the CJEU in less than five years, following the striking down of the Safe Harbor agreement in 2015.
Toni Vitale, partner and head of data protection at JMW Solicitors, says: “The landmark ruling in the Schrems II case has just landed, declaring the EU-US Privacy Shield invalid and upholding the standard contractual clauses as valid. Put simply, the CJEU have an issue with the interference of the US national security and law enforcement agencies having priority over the fundamental right of privacy of the persons whose data is transferred to the US, and the surveillance program utilised in the USA. The limitation this places on the protection of personal data in the USA means that the EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary. As such, the EU-US Privacy Shield has been declared invalid and it can no longer be relied on as a lawful mechanism by which to legitimately transfer data to the US.
“This means companies who currently rely on the EU-US Privacy Shield for transferring data to the US will no longer be able to rely on this, and will instead have to consider which alternative legal mechanism to rely on – something easier said than done given the EU’s issues with the US privacy legal system. The four main takeaways are:
1. The EU-US Privacy Shield is now invalidated so it is now an unlawful to transfer personal data to the USA using the Privacy Shield;
2. Data exporters and importers using the standard contract clauses must verify the level of protection in the 3rd country first. The importer also has a duty to report any issues to the exporter.
3. EU data protection authorities (the equivalents of the UK’s ICO) have a new role in assessing third countries’ protection and could ban exports of data to certain countries.
4. Post Brexit, the UK could be deemed to have inadequate protection given the lack of judicial oversight over the security forces – and this could this lead to a ban on exports of data from the EU to the UK in the future.”
David Dumont, data privacy partner at Hunton Andrews Kurth LLP based in Brussels: “The fact that SCCS have not been invalidated will be welcomed by all businesses that transfer personal data outside the EU, but a significant note of caution should be sounded. Businesses that rely on the SCCs will be required to evaluate each data transfer recipient to determine whether the recipient offers an ‘adequate level of protection.’ This will mean assessing what type of personal data is being transferred, how it will be processed, whether it may be subject to access by government agencies for surveillance purposes and, if so, what safeguards are available. Most businesses are not readily able to make those assessments. If a recipient is not able to provide an ‘adequate level of protection’, EU businesses are required to suspend those data transfers, failing which a regulator may do so. Urgent guidance will be required from data protection regulators as to what practical level of scrutiny they expect from businesses relying on SCCs.
“The importance of the judgment cannot be underestimated. While companies can still rely on SCCS, underlying transfers will be subject to much greater scrutiny. Unlike the Privacy Shield, SCCs are used for transfers around the globe. Most EU companies plan to rely on SCCs to transfer personal data to the UK once the Brexit transition period ends. This judgment signals that the SCCs mechanism will be subject to much greater levels of scrutiny, and that EU data protection authorities will be expected to be more proactive in enforcing these requirements, suspending transfers if necessary.
“The emphasis on SCCs as a valid data transfer mechanism will increase the pressure on the European Commission to update the current clauses to reflect the GDPR. The Commission had been awaiting the outcome of this case before completing its work on updating the SCCs.”