Kate Brimsted, partner, Bryan Cave Leighton Paisner
As reported by Global Legal Post, the sudden annulment of the EU-US Privacy Shield by the Court of Justice of the European Union (CJEU) sent shock waves across the international business community as they look to secure the continuity of personal data flows from the EU to the US and elsewhere.
By introducing greater doubt and complexity to business reliance on standard contract clauses (SCC)—model contracts approved by the European Commission—and by introducing additional requirements, the judgment has posed and then left unanswered a number of questions.
All of this makes it challenging—to say the least—for organisations to know how best to adapt to the new landscape, whether they are ‘exporters’ or ‘importers’ of personal data from the EU.
The EU’s General Data Protection Regulation (GDPR) famously restricts the export of personal data from the EU to so-called third countries not considered to have adequate data protection laws.
Described by some as ensuring protections applied to personal data in the EU continue to apply wherever the data is transferred to, there are a limited number of “gateways” through this restriction. The Privacy Shield programme was one; the SCCs are another.
While there are a number of derogations under the GDPR, these are narrowly construed and tend to be insufficiently robust to support regular, ongoing data flows.
By its sudden annulment of the Privacy Shield, the US Department of Commerce-administered scheme no longer has a valid legal mechanism to permit EU companies to send personal data to US Privacy Shield members.
Literally overnight 5,378 US participants were directly impacted. But the ripples go far wider than that—as well as US companies who joined the Shield, the decision affects many EU businesses which relied on it to legalise EU-US data transfers, especially to US service providers.
EU counterparties who are engaged with Privacy-Shielded service providers must now rethink and adapt their approach.
This, for many, was an unexpected twist in the legal tale which started in 2013 when Austrian privacy campaigner Max Schrems, complained to the Irish Data Protection Commissioner that his Facebook account data was being transferred from Ireland to the US in breach of EU data protection law.
That gave rise to the CJEU’s Schrems I judgment in 2015 which swept away the Privacy Shield’s predecessor. One omission this time may be any formal “grace period” by the EU data protection authorities. Back in 2015, regulators allowed time to implement replacement measures. There is no such indication this time round.
More clarity needed
Is the CJEU’s judgment wholly bad news? After all, the court confirmed that data transfers using SCCs may still—in principle—be used, much to the relief of the business community.
The SCCs are the most widely used transfer tool according to the Commission. Designed as a bilateral contract between EU exporters and third-country importers, three different sets have been approved.
However, existing SCC suffered from a certain lack of flexibility in practice. EU regulatory work on a modernised set of standard clauses was at an advanced stage, although it is unclear when these will be available.
Although the SCCs have survived as an option, this judgment is far from an unqualified victory for the model contracts.
The CJEU was clear that those entering into them were expected to conduct some form of risk assessment, not merely sign up to them. They may be unsuitable (at worst) or vulnerable to challenge (at best) when sending data from the EU to jurisdictions with bulk intelligence surveillance programmes of incoming EU personal data. The US is not the only such destination country.
The European Data Protection Board (EDPB) has recommended risk assessments on whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. There is as yet no clarity around what form that assessment should take.
Even though it is a specifically EU-US transfer mechanism, this decision potentially makes post-Brexit data flows to the UK from the EU more difficult. After 2020, barriers currently applicable for EU data flows to the US will also apply for UK flows; that is, until the UK gets a data protection “adequacy decision” from the EU or a similar accommodation reached via negotiations.
The UK’s data protection legislation is substantially identical to the EU’s, having implemented the GDPR and retaining that framework after the transition period. However, an adequacy decision is not a foregone conclusion. For one thing, intelligence cooperation between the UK and the US, including a 2019 data sharing agreement on crime prevention, has recently been flagged by the European Data Protection Board as relevant to the upcoming UK adequacy review.
Schrems II also indicates reliance on “model clauses” by EU companies to transfer personal data to the UK could be open to challenge, just as US ones are. This added uncertainty could make EU businesses less willing to work with UK service providers, especially in situations involving significant volumes of personal data of a potentially sensitive kind.
The UK’s ICO has directed organisations to take stock of the international transfers they are making and react promptly as EU or EDPB guidance becomes available.
In a rather unsatisfactory position for organisations, Schrems II means the Privacy Shield offers no legal protection for ongoing transatlantic data transfers and yet the main alternatives are vulnerable to challenge and subject to enhanced prior risk assessments of an—as yet—unspecified kind. Further guidance is eagerly and somewhat anxiously awaited.
Kate Brimsted is the UK head of data privacy and cyber security at Bryan Cave Leighton Paisner