As widely anticipated, on 16 July, Europe’s highest court struck down the EU-US data sharing agreement known as Privacy Shield.
This is the second time in 5 years that the European Court of Justice (CJEU) has killed such an arrangement with the US.
As the court noted: ‘The General Data Protection Regulation (GDPR) provides that the transfer of data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection.” However given Edward Snowden’s 2013 disclosures about mass surveillance by national security and law enforcement agencies in the United States and the activities of US intelligence services as they apply to non-nationals, this is not the case with the United States.
But given the overwhelming amount of data transferred by companies between the two blocs, the European Commission and the US Department of Commerce, decided to come up with a “workaround.” The first “gentlemen’s agreement” was known as Safe Harbour, but it too fell foul of the CJEU’s view on US snooping in 2015.
In its ruling last week, the court stated: “The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.” In other words: Europeans, your data is not safe there!
Two key findings of the court include: Protections for EU citizens in the US are weak because US “provisions do not grant data subjects actionable rights before the courts against the US authorities;” And the US Ombudsman, established to help EU citizens make their case, does not have sufficient binding authority over the US intelligence services. The long and short of it is that companies such as Facebook Ireland cannot ensure adequate privacy protections for users in Europe.
More than 5,000 companies had signed up to Privacy Shield, and, according to several trade bodies more than 70% of them are small and medium-sized businesses. The framework allowed companies to voluntarily “self certify” that they would protect European citizens’ data to the same standard as in the EU.
The case, known as Schrems II, also required the court to look at other mechanisms for transferring data to the US from Europe – so-called Standard Contractual Clauses.
Furthermore “necessary” EU-US transfers of personal data (like emails, airline bookings, messages or direct private use of US services) and any transfers for “household activities” will continue to be allowed. Equally any transfers of data that does not contain “personal data” continues to be allowed, explained privacy NGO NOYB. We will examine those in a future article.
But the ruling will nonetheless have far-reaching consequences as Stewart Room, Global Head of Data Protection and Cyber Security at DWF explained: “This judgment is the second major blow delivered to the US privacy and data protection legal framework by the EU Court of Justice relating to the Snowden disclosures and in today’s climate of unstable transatlantic political relationships, it is unlikely to meet with approval in the US. However, this is not just a US problem. Twice now the European Commission has tried to reach an agreement with the US on data protection, only to have its efforts ruled unlawful. There needs to be a different mindset to how the challenges of international transfers to the US are met, because failed schemes like this have significant impacts for individuals and for businesses.”
Tanguy Van Overstraeten, Partner and Global Head of Privacy and Data Protection at LinkLaters added: “Similarly, this may encourage data protection regulators to clamp down on international transfers more aggressively, with the possibility of transfers to jurisdictions with strong state surveillance powers becoming increasingly difficult.”
“This does not just affect data transfers to the US. Other jurisdictions, such as India or China, also have strong state surveillance powers so transfers to those jurisdictions may also need careful examination.”
Axel Voss, a Member of the European Parliament (MEP), and EPP Group spokesman on Legal Affairs also called for action “on both sides.”
“The US must give additional assurances as to how they deal with European personal data. And the European Commission must now clarify the legal situation in order to give legal certainty to businesses, scientists and consumers,” he said.
But Eric Null, U.S. Policy Manager at digital rights NGO, Access Now was skeptical: “Unless the US passes meaningful, strong, and comprehensive privacy legislation and curtails the government’s surveillance authorities, we’ll just be here again in a few years.”
The biggest concern for businesses is that this major upheaval create “legal uncertainty.”
Alexandre Roure, CCIA Public Policy Senior Manager called on EU and US decision-makers to swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy. “We hope enforcement authorities will grant Privacy Shield signatories time to migrate to alternative legal mechanisms,” he added.
But US Secretary of Commerce Wilbur Ross stated that the Department of Commerce is deeply disappointed that the court “appears” to have invalidated Privacy Shield! That wording may not provide much hope that any new thinking is likely to be on the table – at least from the US side.
“We are still studying the decision to fully understand its practical impacts,” Ross continued. “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.”
The ruling also has significant implications for the UK post-Brexit transition period. Once properly outside the EU on 1 January 2021, the UK will be treated like any other “third country” with no special dispensations. Like the US, the UK conducts mass surveillance, under the Investigatory Powers Act, and it is difficult to see how the court could take a different view with the former EU state. This puts added pressure on negotiators to come to a watertight arrangement on data sharing sooner rather than later as talk of a “UK Privacy Shield” will no longer be appealing.
“We don’t yet know what may be assembled to replace Privacy Shield,” pointed out Ben Rapp, founder of data privacy consultancy, Securys. “However, it’s bound to take some time, since cobbling Privacy Shield quickly was the mistake that led to today’s decision, and in the meantime existing data flows to the US are likely to be unlawful in many cases.”
Rest assured the powers that be will be trying to find something – anything – that will allow data transfers to continue unhindered. For sure SCCs will be part of the solution and we will look closely at those in the next column.