As the EU’s most senior data protection chief joins growing criticism of the proposed Privacy Shield agreement, lawyers are warning that a new legal challenge could also blow alternative transatlantic data transfer methods to smithereens.
Ever since safe harbour was ruled illegal last October, data protection authorities across EU states – including the UK – have recommended companies use so-called “standard contract clauses”, with many organisations converting safe harbour-based transfers to SCCs.
But now Max Schrems – the man whose case led to safe harbour being ruled illegal last year – has filed a new complaint with the Irish Data Protection Commissioner about SCCs, asserting that they suffer from the same flaws as safe harbour, including the fact that they do not prevent US authorities from mass, indiscriminate access to EU citizens’ personal data.
Irish DPC Helen Dixon has issued a statement, saying that she is taking the complaint to the Irish High Court, with a view to a referral to the EU Court of Justice to determine the legal status of data transfers under the SCCs.
In a blog post, a panel of experts from legal firm Reed Smith warned: “If the European Court of Justice declares SCCs invalid, then the remaining options available to organisations are limited.
“[Other methods] require significant investment and will not be appropriate for the resources or trading profile of every organisation. It may be possible to rely on the consent of the data subject as a legal basis for the transfer of their data; however, consent is also unlikely to work for all categories of data, in particular employees’ data.
“To compound the difficulties, the introduction of the GDPR in 2018 means that the requirements to achieve a valid consent will become more stringent.”
While some may be wondering what all the fuss has been about, nearly 4,400 companies transfer data between the continents, including some of the world’s biggest technology groups such as Facebook and Amazon and most UK personal data held in the cloud is based in the States.
Criticism of the Privacy Shield deal – the successor to the long-standing safe harbour agreement – has been building ever since it was first revealed in February, despite EU justice commissioner Věra Jourová’s insistence that it was a “major achievement”.
Industry experts, MEPs, UK Information Commissioner Christopher Graham, and the EU Article 29 Working Party – which is made up of the data chiefs of all EU states – have all slammed the levels of protection offered.
They were joined this week by European Data Protection Supervisor Giovanni Buttarelli, who said that “the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court” and called for “significant improvements”.
Facebook ‘still using illegal safe harbour agreement’
Privacy Shield is nothing short of preposterous
UK consumer data ‘is still at risk’ despite US deal
EU confirms 11th-hour deal over US data transfers
Obama urged to intervene in safe harbour talks
Firms told ‘don’t panic’ over safe harbour ruling
Cameron takes charge of safe harbour backlash
New ruling halts US data transfer