Major concerns that Brexit will push the UK’s £240bn data economy “off a cliff edge” look to have been assuaged by the unlikely combination of the European Court of Justice and Facebook, with one of the EU’s top judges rejecting claims that existing data transfer contracts are illegal.
The move follows a six year legal battle by privacy campaigner and Facebook nemesis Max Schrems, who has long argued that both Privacy Shield and so-called “standard contract clauses” do not provide consumers adequate protection from surveillance by US authorities.
The case was referred to the ECJ by the Irish High Court earlier this year, with Facebook fiercely defending its corner.
Now, ECJ advocate general Henrik General Saugmandsgaard Oe has said the SCCs adopted by the European Commission provide a “general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there”.
While this opinion is non-binding, such recommendations are typically followed by the court in the majority of cases. A final ruling is expected in the new year.
When the UK leaves the EU, firms will still be able to transfer data to European companies but, as a “third country”, EU businesses would not be allowed to send data back to the UK.
However, this decision means UK companies will now be able to continue to use SCCs to transfer personal data from the EU post-Brexit, reducing the urgent need for an adequacy agreement, which could have taken many years to achieve.
The fastest adequacy decision took 18 months to finalise; the most recent one, signed with Japan, took years to complete and saw Tokyo join just 12 countries, including Argentina, Israel, and New Zealand, which have similar deals with the EU.
Linklaters TMT partner Richard Cumbley said the judge’s opinion will be a major relief not only to European businesses that transfer data to and from the US, but also for the UK’s Brexit plans.
He added: “It is good news for the new Government and its ambitious timetable to achieve a trade deal by the end of 2020, as it makes the need for a so called adequacy finding less acute.”
While Cumbley said the case confirms that SCCs cannot be used without significant due diligence by businesses – with material risks if they get the judgements wrong – the opinion suggests that these are issues for the European Commission and Government and not individual businesses.
He concluded: “The advocate general suggests that SCCs remain a solid basis for transferring data outside the EU.”
CBI: No deal Brexit will rock data industry from day one
Hefty issues await new culture secretary Nicky Morgan
Industry calls for Brexit ‘Plan B’ as budget growth stalls
Japan seals EU data transfer deal as UK firms await fate
Industry fears mount over prospect of no-deal Brexit
Industry urged to back Brexit deal to secure data flows
DMA gives cautious backing to draft Brexit data deal
DMA issues dire warning over post-Brexit data transfers
Firms urged to set up their own EU data transfer deals