• Our People
  • Global Presence
  • Regions
    • Asia
    • Europe
    • Americas
  • Offices
    • Canada
      • Ottawa
      • Toronto
    • China
      • Beijing
      • Hong Kong
    • Luxembourg
    • Malaysia
    • Singapore
    • UK
      • Aberdeen
      • Birmingham
      • Cambridge
      • Edinburgh
      • Glasgow
      • London
      • Manchester
      • Oxford
  • Client liaison
    • Japan
    • Korea
  • Expertise
  • Services
    • Patents
    • Brands & Trade Marks
    • Designs
    • Litigation & Dispute Resolution
    • Commercial IP & Contracts
    • Due Diligence
    • Freedom to Operate
    • EPO Patent Oppositions
    • European Patent Validations
    • Anti-counterfeiting
    • Open Source & Third Party Code
  • Sectors
    • Digital Transformation
      • 3D Printing
      • Artificial Intelligence
      • Blockchain
      • Data & Connectivity
      • Extended Reality
      • Industry 4.0
    • Energy & Environment
    • Life Sciences
    • Agritech
    • Medical Technologies
    • Chemistry
    • Transport
    • Entertainment & Creative Industries
    • Food & Drink
    • Fashion & Retail
    • Universities & Research Bodies
    • Start-ups & Spin-outs
      • Creating value for start-ups
      • The IP driven start-up
    • Financial Services
  • About Us
    • Working with us
    • Awards
    • Corporate & Social Responsibility
    • Diversity & Inclusion
    • Careers
  • Insights
    • Articles
    • News
    • Events
    • Resources
    • Unified Patent Court hub
    • Beyond Brexit: European trade mark hub
    • M&C Reacts
  • Contact Us
Marks & Clerk logo
Marks & Clerk logo
Contact Us
Language
English
Our People
Global Presence
Regions
  • Asia
  • Europe
  • Americas
Offices
  • Canada
    • Ottawa
    • Toronto
  • China
    • Beijing
    • Hong Kong
  • Luxembourg
  • Malaysia
  • Singapore
  • UK
    • Aberdeen
    • Birmingham
    • Cambridge
    • Edinburgh
    • Glasgow
    • London
    • Manchester
    • Oxford
Client liaison
  • Japan
  • Korea
Expertise
Services
  • Patents
  • Brands & Trade Marks
  • Designs
  • Litigation & Dispute Resolution
  • Commercial IP & Contracts
  • Due Diligence
  • Freedom to Operate
  • EPO Patent Oppositions
  • European Patent Validations
  • Anti-counterfeiting
  • Open Source & Third Party Code
Sectors
  • Digital Transformation
    • 3D Printing
    • Artificial Intelligence
    • Blockchain
    • Data & Connectivity
    • Extended Reality
    • Industry 4.0
  • Energy & Environment
  • Life Sciences
  • Agritech
  • Medical Technologies
  • Chemistry
  • Transport
  • Entertainment & Creative Industries
  • Food & Drink
  • Fashion & Retail
  • Universities & Research Bodies
  • Start-ups & Spin-outs
    • Creating value for start-ups
    • The IP driven start-up
  • Financial Services
About Us
  • Working with us
  • Awards
  • Corporate & Social Responsibility
  • Diversity & Inclusion
  • Careers
Insights
  • Articles
  • News
  • Events
  • Resources
  • Unified Patent Court hub
  • Beyond Brexit: European trade mark hub
  • M&C Reacts

Does the shattering of the US Privacy Shield by the ECJ spell trouble for the UK

23 July 2020
Print
Share

In its decision on “Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems”, the European Court of Justice (“ECJ”) has ruled that:

  1. the EU-US Privacy Shield, which previously governed the flow of data between the two regions, is invalid. This overturns European Commission (“EC”) Decision 2016/1250 on the adequacy of the Privacy Shield system.
  2. the ombudsperson mechanism within the Privacy Shield system does not provide an effective remedy for a EU citizen whose data is transferred to the US which is equivalent to those required by Article 47 of the Charter of Fundamental Rights of the European Union; and
  3. the EU standard contractual clauses (“SCCs”) are to be regarded as valid in principle (upholding EC Decision 2010/87) but they should be suspended by data protection watchdogs should the guarantees within them not be upheld.

This ruling also confirmed there to be no transitional period, which means that the personal data of EU citizens can no longer lawfully transferred to the US under the Privacy Shield. A significant reason for these decisions is that US national security laws do not protect EU citizens from disproportionate surveillance practices within the US.

According to the European Institute of University College London’s policy paper, the Privacy Shield system “underpins transatlantic digital trade” for more than 5,300 certified companies with around 65% of them being small-medium enterprises (“SMEs”) or start-ups.

As the UK is currently within the transitional period of withdrawal from the EU, it is still subject to the regulatory requirements that come with membership of the bloc; which includes those related to data protection. However, from January 2021 this period will end – either pursuant to negotiated terms, as seems distinctly possible, with no agreement in place (i.e. a ‘no deal’ Brexit).

Both eventualities will require the UK to implement an adequate data protection regime which will be effectively equivalent to that of the EU’s General Data Protection Regulation (GDPR), in order to allow the transfer of EU citizens’ personal data to and from the UK without restriction. This will either be achieved by UK companies entering into SCCs, or by the EU considering the UK’s data protection measures to be “adequate”. The reason the ECJ’s recent decision with regard to the Privacy Shield system should be taken very seriously by the UK is that it impacts on both of these potential routes of EU-UK data flow post Brexit.

1. Adequacy decision

The recent decision throws some ‘shade’ on the UK’s previous understanding of its position with the EU with regard to the transfer of personal data. The UK government noted in its July 2018 White Paper: “The future relationship between the UK and the EU” that it believed the EU’s adequacy framework provides the right starting point for data protection arrangements between the UK and the EU after Brexit. The White Paper emphasises that the UK and the EU start their extensive agreement on the exchange of personal data from a unique position of trust in each other’s standards and regulatory alignment on data protection.

It is also important to note that in October 2019, the UK and US signed a data transfer agreement on the “Access to Electronic Data for the Purpose of Countering Serious Crime”, which did raise concerns with regard to a future adequacy decision being granted by the EU and this data transfer agreement potentially allowing for EU citizens data being transferred out to the US.

On 24th June, when speaking on the presentation of the European Commission’s first review on the assessment of the EU’s GDPR, Věra Jourová (the Vice-President for Values and Transparency) casted some doubt on whether the UK will be suited for an ‘adequacy decision’ from the EU by saying: “I cannot predict now whether it will be so easy and without any further negotiations needed for the possible adequacy decision because we do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the general data protection regulation”.

Considering the above in light of the ECJ’s recent decision, and the acrimony that has often characterised the withdrawal negotiations, there is significant doubt over whether the UK’s data protection measures will be considered ‘adequate’ by the EU. An important question here is will the EU factor into its decision that the UK has considered US protection measures sufficient whereas the EU does not? In essence, the concerns are that the UK may not be granted an adequacy decision should it be seen as a backdoor to unlawful US data transfers. Should this be the case, the UK’s service-based economy could find this particularly damaging – with finance, life sciences and high tech sectors as well as UK data centres and cloud service providers, possibly being hit the hardest.

2. SCCs 

The recent ECJ ruling also clarifies that the SCCs will be more closely scrutinised from now on. Data exporters utilising the SCCs will need to prove (prior to any transfer to the US) that the personal data being transferred will be given the equivalent levels of protection as those afforded within the EU. Data protection watchdogs have been encouraged to investigate and even suspend SCCs used to transfer personal data to the US where they find evidence that sufficient levels of protection aren’t being provided – this could prove to open the floodgates for other “Max Schrems’” to take up the call for arms against unlawful personal data transfers.

In summary, the EC will undoubtedly be taking a closer look at the UK’s national security systems in order to determine whether they are compatible with those required by the EU; if they are considered not to be sufficient, even the use of SCCs will not be infallible. The recent ruling may also affect the EC’s somewhat flexible and pragmatic approach in granting adequacy decisions moving forward, as it will want to avoid ruling against its decisions by the ECJ. That said, the EC will certainly want to keep the flow of data between the EU and UK moving for the good of the remaining Member States, so we cannot rule out the possibility of an adequacy decision being granted just yet.

Next Story
  • Preliminary position on priority published
  • International patent insights on quantum computing
  • Cambridge: City of Innovation - The 'beer summit' that generated a genomic revolution
  • IP protection in collaborations: "Just Do It"
  • Peppa Pig v Wolfoo: clash of the cartoons
More insights

Latest Insights

Chemistry
Article
- 24 March 2023

Preliminary position on priority published

As we reported in early 2022, the Enlarged Board of Appeal of the EPO are considering two pending referrals (G1/22 and G2/22) regarding the question of entitlement to priority. A hearing has now been set for 26 May 2023, and the Enlarged Board have now issued a preliminary opinion setting out the points to be discussed.
Read more
Quantum computing
Article
- 22 March 2023

International patent insights on quantum computing

The latest patent insight report from the European Patent Office (EPO) looks at the trends in patent filings for quantum computing, and has uncovered some interesting findings.
Read more
Article
- 22 March 2023

InterDigital v Lenovo: The latest FRAND judgment

On 16 March 2023, Mr Justice Mellor handed down the latest FRAND judgment: InterDigital v Lenovo. The case concerned a dispute between InterDigital and Lenovo as to the terms on which Lenovo should take a licence to InterDigital’s portfolio of patents which had been declared essential to the European Telecommunications Standard Institute (ETSI) Standards.
Read more
Marks & Clerk logo (white)
  • Terms & Conditions
  • Privacy Notice
  • Cookies
  • Legal Notices
  • Press Enquiries
  • Lexology
  • Mondaq