In a surprise decision that will have a major impact on trans-Atlantic data transfers, Europe’s top court ruled Thursday that a mechanism used by thousands of companies to send data to the United States is unlawful, citing concerns raised by privacy activist Max Schrems in his ongoing legal battle with Facebook over whether EU citizens’ data can be shared with U.S. authorities under the country’s surveillance laws.
The EU-U.S. Privacy Shield—scrapped as of Thursday—was set up in 2016 to protect the personal data of Europeans when it is transferred across the Atlantic for commercial use. More than 5,300 companies had signed up to the program, which allowed (on paper, at least) validated companies safe access to EU citizens’ data without fear of legal reprisals under EU privacy law.
“The judgment leaves a huge question mark over data transfers to the U.S.”
Tanguy Van Overstraeten, Partner and Global Head of Privacy and Data Protection, Linklaters
Its predecessor, known as Safe Harbor, was also scrapped by the same court in 2015 after Schrems raised similar concerns then following revelations made by former U.S. intelligence contractor Edward Snowden in 2013 about mass surveillance.
In a statement Thursday, Schrems said: “The court clarified for a second time now that there is a clash between EU privacy law and U.S. surveillance law,” adding that “this judgment is not the cause of a limit to data transfers, but the consequence of U.S. surveillance laws.”
While the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. agreement, it did uphold the validity of another data transfer mechanism known as standard contractual clauses (SCCs)—template contracts prepared by the European Commission that have been relied upon by businesses to facilitate transfers for nearly 20 years.
Will Big Tech need to store data in the EU?
Technology experts say that some companies may respond by moving more data to store it on servers inside the European Union. But this will be a slow, difficult, and expensive process. A simpler move may be to encrypt all data that is transferred to a third country, but that will also be expensive and will slow down data flows dramatically.
Julian David, CEO of technology lobby group techUK, says that there must be a “grace period”—as took place during the time when Safe Harbor became defunct and before the Privacy Shield was set up—where firms can continue to operate as they currently do without fear of regulatory sanctions.
“The focus now must be on providing certainty in the near term through a grace period and quickly returning to the negotiating table to build a durable and sustainable solution, creating a dependable regulatory environment for the transfer of data that can support business, innovation and trade,” he says.
Eva Nagle, associate general counsel at Facebook, says that the company “looks forward to regulatory guidance in this regard.”
In the meantime, organizations—including large technology firms—need to “stay put and continue with what they have been doing,” says Annabel Gillham, partner in the global data privacy team at law firm Morrison & Foerster.
“While there needs to be more due diligence around the use of SCCs, in particular in third countries with strong surveillance laws, the CJEU has said that they remain valid and so they can continue to be used. As such, tech firms are not breaking any rules by using them. Until the European Commission and EU data protection authorities come up with either an alternative mechanism, or guidance about how SCCs can be used to ensure data protection, companies and tech firms have little choice but to continue with the status quo.”
The CJEU added that EU data protection authorities, however, should proactively suspend or prohibit a transfer of personal data to a third country where they take the view that the level of data protection afforded in the European Union cannot be matched by the country where the data is being exported to—a position put forward in a non-binding opinion last December.
As a result, SCCs may not provide the thousands of companies that use them the legal protection they need; while valid, they can only be used where the risks associated have been properly assessed.
How ruling will impact businesses
Lawyers say that large companies will make hundreds (if not thousands) of transfers, so the additional compliance checking may be burdensome. They also say the possibility of ceasing some existing types of data transfers altogether cannot be ruled out.
In addition, lawyers suggest the ruling means that data transfers to other jurisdictions, such as India or China, will need careful examination because they also have strong state surveillance powers.
“Failed schemes like this have significant impacts for individuals and for businesses,” says Stewart Room, global head of data protection and cyber-security at law firm DWF. “Businesses will be asking themselves ‘what’s next?’ There are other countries that pose challenges to privacy rights and data protection and they raise obvious questions about the potential for other legal action.”
Tanguy Van Overstraeten, a partner and global head of privacy and data protection at law firm Linklaters, says that “large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients. The CJEU has made it clear companies cannot justify them using a ‘tick box’ exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed.”
“Similarly, this may encourage data protection regulators to clamp down on international transfers more aggressively, with the possibility of transfers to jurisdictions with strong state surveillance powers becoming increasingly difficult. The judgment leaves a huge question mark over data transfers to the U.S.,” says Van Overstraeten.
Emma Erskine-Fox, an associate at U.K. law firm TLT, says that data regulators now need to provide guidance on the safe use of SCCs. “SCCs are widely regarded as being out-of-date, clunky and unfit for modern data processing practices, but organizations will need to continue to rely on them for some time to come. Additional guidance is urgently needed on how and where the SCCs can be relied upon.”
Lawyers say that businesses will now look to EU regulators to propose some form of transition to allow them to move away from the Privacy Shield without the threat of significant sanctions and civil compensation claims.
Some experts also suggest that the CJEU’s judgment could have implications for the United Kingdom’s prospects of gaining adequacy at the end of the Brexit transition period to ensure that data flows between the United Kingdom and the European Union continue as they do now.
Under the EU’s General Data Protection Regulation (GDPR), it is incumbent upon those exporting the data to a recipient in a third country to check that it will be handled with the same level of protection as in the European Union. If not, they could face hefty fines of up to 4 percent of global annual revenues.
“The judgment makes it clear that companies cannot just sign the SCCs, but also have to check if they can be complied with in practice,” said Schrems.
The case—C-311/18 Facebook Ireland and Schrems—went to the CJEU in Luxembourg after the privacy campaigner challenged Facebook’s use of SCCs, saying they lacked sufficient data protection safeguards. It is now highly anticipated that the Irish Data Protection Commission, the lead regulator for Big Tech firms in Europe (including Facebook), will follow the CJEU’s lead and demand changes in the way that the social media company stores personal data for EU citizens.