Earlier this month, the Court of Justice of the European Union issued a judgment that will have major implications for all businesses which transfer personal data internationally.
This isn’t just a matter for multinationals or tech companies; international transfers are crucial for all sorts of businesses, large and small. They can happen when businesses store data in the cloud, send data to other organisations or engage suppliers based outside of Europe.
The latest decision came in the long-running legal battle between Austrian privacy campaigner Max Schrems and social media giant Facebook, which has already had a huge impact on international transfers of personal information. Back in 2013, while he was still a student, Mr Schrems made a complaint against Facebook.
His complaint arose from the revelations of whistle-blower Edward Snowden, which revealed that US authorities routinely intercepted and retained information from social media companies. A case was brought in Ireland, where Facebook has its EU headquarters, and related cases have been proceeding through the courts ever since.
The complaint revolves around the validity of transfers of personal data from the EU to the US. The General Data Protection Regulation, like its predecessor the 1995 Data Protection Directive, contains a broad prohibition on the transfers of personal data outside the EU. However, this prohibition can be overcome in various ways.
The most popular of these are where the transfer is to a country which the European Commission has decided gives adequate protection to personal data (a so-called ‘adequacy decision’), or where the data exporter and the data importer agree to a contract containing European Commission-approved standard contract clauses. Both of these methods were under scrutiny in this case.
Mr Schrems’ original case led to a ruling in 2015 that the previous ‘Safe Harbor’ framework for data transfers to the US did not offer adequate protection for individuals in Europe.
The latest case has moved on to consider the validity of both the standard contractual clauses and the replacement for Safe Harbor, the EU/US Privacy Shield, which in reality is a partial adequacy decision for certain companies in the US. Mr Schrems argued that neither the EU/US Privacy Shield nor the standard contractual clauses offered adequate protection to his data once it had been transferred to the US, because of the wide powers of US authorities over the personal data of non-US citizens.
In the most eye-catching part of the judgment, the Court ruled that the EU/US Privacy Shield does not offer appropriate safeguards for data protection, because of the US government’s wide powers to collect and review personal data held in its jurisdiction. Accordingly, the Court annulled the adequacy decision in respect of the EU/US Privacy Shield.
Data transfers under that framework will no longer be valid. As with the similar ruling in 2015 in respect of Safe Harbor, the EU Commission and US authorities may try again to find a replacement scheme, but this appears increasingly difficult, particularly in light of the existing US administration’s increasingly protectionist agenda.
Perhaps more importantly, however, the Court also ruled on the use of standard contractual clauses, which can be used to transfer data anywhere in the world, not just to the US. To the huge relief of many businesses, the Court upheld the use of standard contractual clauses as a means of validating transfers outside the EU.
But in doing so, the Court emphasised that putting in place standard contractual clauses alone is not enough to ensure adequate protection. Instead, data exporters must also consider the legal context in the recipient country. Where the laws of the recipient do not provide adequate protection, the use of standard contractual clauses is not enough, and the data exporter must not transfer the data.
So what does all of this mean for businesses? In some ways, we’ve been here before. In respect of the Privacy Shield, the current situation is almost identical to 2015, when the earlier judgment annulled the Safe Harbor framework. At that time, European regulators urged a cautious approach and emphasised that businesses should not immediately stop transferring data, which could itself have a negative impact on individuals.
But that was under the old regime, before the General Data Protection Regulation and the significant strengthening of data protection rules.
The UK regulator, the Information Commissioner’s Office, has again taken a cautious approach and stated that, at least for now, businesses can continue existing transfer arrangements using Privacy Shield, but should not start new transfers under the now-defunct framework. Other European regulators have taken a stronger approach and recommended businesses switch now to an alternative method of transfer or stop exporting data altogether.
Any businesses that transfer personal data to the US using the Privacy Shield framework would be wise to immediately take stock. They should assess the situation to understand the scale of the issue and consider what steps to take to remove any data protection risk.
This may involve using another method to validate those data transfers or considering whether alternative solutions exist. But they should be careful not to simply stop data transfers on the basis of this judgment, without taking into account all of the potential wider consequences.
The use of standard contractual clauses should also be reviewed. This decision means that international data transfers are likely to become subject to much greater scrutiny and will potentially become more difficult. And with the post-Brexit transition period ending on 31 December 2020, data transfers between the EU and the UK will become subject to these strict rules from next year. Now really is the time for businesses to be reviewing all of their international data flows.
