In its decision on “Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems”, the European Court of Justice (“ECJ”) has ruled that:
- the EU-US Privacy Shield, which previously governed the flow of data between the two regions, is invalid. This overturns European Commission (“EC”) Decision 2016/1250 on the adequacy of the Privacy Shield system.
- the ombudsperson mechanism within the Privacy Shield system does not provide an effective remedy for a EU citizen whose data is transferred to the US which is equivalent to those required by Article 47 of the Charter of Fundamental Rights of the European Union; and
- the EU standard contractual clauses (“SCCs”) are to be regarded as valid in principle (upholding EC Decision 2010/87) but they should be suspended by data protection watchdogs should the guarantees within them not be upheld.
This ruling also confirmed there to be no transitional period, which means that the personal data of EU citizens can no longer lawfully transferred to the US under the Privacy Shield. A significant reason for these decisions is that US national security laws do not protect EU citizens from disproportionate surveillance practices within the US.
According to the European Institute of University College London’s policy paper, the Privacy Shield system “underpins transatlantic digital trade” for more than 5,300 certified companies with around 65% of them being small-medium enterprises (“SMEs”) or start-ups.
As the UK is currently within the transitional period of withdrawal from the EU, it is still subject to the regulatory requirements that come with membership of the bloc; which includes those related to data protection. However, from January 2021 this period will end – either pursuant to negotiated terms, as seems distinctly possible, with no agreement in place (i.e. a ‘no deal’ Brexit).
Both eventualities will require the UK to implement an adequate data protection regime which will be effectively equivalent to that of the EU’s General Data Protection Regulation (GDPR), in order to allow the transfer of EU citizens’ personal data to and from the UK without restriction. This will either be achieved by UK companies entering into SCCs, or by the EU considering the UK’s data protection measures to be “adequate”. The reason the ECJ’s recent decision with regard to the Privacy Shield system should be taken very seriously by the UK is that it impacts on both of these potential routes of EU-UK data flow post Brexit.
1. Adequacy decision
The recent decision throws some ‘shade’ on the UK’s previous understanding of its position with the EU with regard to the transfer of personal data. The UK government noted in its July 2018 White Paper: “The future relationship between the UK and the EU” that it believed the EU’s adequacy framework provides the right starting point for data protection arrangements between the UK and the EU after Brexit. The White Paper emphasises that the UK and the EU start their extensive agreement on the exchange of personal data from a unique position of trust in each other’s standards and regulatory alignment on data protection.
It is also important to note that in October 2019, the UK and US signed a data transfer agreement on the “Access to Electronic Data for the Purpose of Countering Serious Crime”, which did raise concerns with regard to a future adequacy decision being granted by the EU and this data transfer agreement potentially allowing for EU citizens data being transferred out to the US.
On 24th June, when speaking on the presentation of the European Commission’s first review on the assessment of the EU’s GDPR, Věra Jourová (the Vice-President for Values and Transparency) casted some doubt on whether the UK will be suited for an ‘adequacy decision’ from the EU by saying: “I cannot predict now whether it will be so easy and without any further negotiations needed for the possible adequacy decision because we do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the general data protection regulation”.
Considering the above in light of the ECJ’s recent decision, and the acrimony that has often characterised the withdrawal negotiations, there is significant doubt over whether the UK’s data protection measures will be considered ‘adequate’ by the EU. An important question here is will the EU factor into its decision that the UK has considered US protection measures sufficient whereas the EU does not? In essence, the concerns are that the UK may not be granted an adequacy decision should it be seen as a backdoor to unlawful US data transfers. Should this be the case, the UK’s service-based economy could find this particularly damaging – with finance, life sciences and high tech sectors as well as UK data centres and cloud service providers, possibly being hit the hardest.
The recent ECJ ruling also clarifies that the SCCs will be more closely scrutinised from now on. Data exporters utilising the SCCs will need to prove (prior to any transfer to the US) that the personal data being transferred will be given the equivalent levels of protection as those afforded within the EU. Data protection watchdogs have been encouraged to investigate and even suspend SCCs used to transfer personal data to the US where they find evidence that sufficient levels of protection aren’t being provided – this could prove to open the floodgates for other “Max Schrems’” to take up the call for arms against unlawful personal data transfers.
In summary, the EC will undoubtedly be taking a closer look at the UK’s national security systems in order to determine whether they are compatible with those required by the EU; if they are considered not to be sufficient, even the use of SCCs will not be infallible. The recent ruling may also affect the EC’s somewhat flexible and pragmatic approach in granting adequacy decisions moving forward, as it will want to avoid ruling against its decisions by the ECJ. That said, the EC will certainly want to keep the flow of data between the EU and UK moving for the good of the remaining Member States, so we cannot rule out the possibility of an adequacy decision being granted just yet.