Thousands of companies that rely on the Privacy Shield agreement to transfer personal data between the EU and the US have been dealt a major blow following a landmark ruling by the European Court of Justice which invalidates the deal, and even the alternative “standard contractual clauses” will face tougher restrictions.
The move, which will affect nearly 5,400 businesses including Facebook, Amazon, Google, Experian, Acxiom, LinkedIn and Microsoft, follows a seven year battle by Austrian lawyer and privacy activist Max Schrems, who has long argued that the data transfer policies do not provide consumers adequate protection from surveillance by US authorities.
His first scalp was Safe Harbour, which was ruled invalid by the same court in 2015. However, Schrems insisted the same problems were inherent in its replacement, Privacy Shield, and lodged another complaint with the Irish Data Protection Commission specifically against Facebook, dubbed “Schrems II”.
The case was referred to the ECJ by the Irish High Court earlier this year, with Facebook fiercely defending its corner.
In its decision, published today, the ECJ ruled: “The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” The ruling can not be appealed.
In response, Schrems said: “I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”
Meanwhile, Dutch MEP Sophie in’t Veld tweeted: “A victory for personal data protection, but a crushing defeat for [the European] Commission over legality of data transfer scheme. I call on the Commission to stop stubbornly ignoring the expert advice and repeated calls from the [European Parliament].”
And Estelle Massé, senior policy analyst at privacy group Access Now, commented: “It was irresponsible from the European Commission to adopt the Privacy Shield both from a legal and political perspective. From the get go, the Commission ignored the legal opinion of data protection experts and civil society, who urged against this deal’s adoption.
“Time and time again, we reiterated that not suspending the deal was a big mistake, not only because it endangered people’s rights, but because it also created legal uncertainties for companies. We hope that, this time, the Commission draws the necessary conclusions from the ruling and works on all the necessary reforms.”
The court’s decision not to outlaw “standard contractual clauses” (SCCs) – which reaffirmed ECJ advocate general Henrik General Saugmandsgaard Oe’s recommendation made last year – should at least protect the UK’s £240bn data economy following Brexit.
When the Brexit transition period expires on December 31, firms will still be able to transfer data to European companies but, as a “third country”, EU businesses would not be allowed to send data back to the UK.
However, the decision means UK companies will now be able to continue to use SCCs to transfer personal data from the EU post-Brexit, reducing the urgent need for an adequacy agreement, which could take many years to achieve.
Even so, it stills leaves many questions unanswered over whether UK firms will be able to legally transfer data to the US as data controllers must carry out an assessment of the data protection afforded by the country where the data is to be taken. If the level is not equivalent to that offered by EU law then the controller has a legal obligation to suspend the data transfers.
Of course, after December 31 the UK does not have to follow EU law, however, if the Government wants an adequacy agreement with Brussels it will have to toe the line; a move which could then scupper US trade agreements.
Mishcon de Reya Partner Adam Rose commented: “There must now be serious questions as to whether any transfers to the US can be valid. As a result of this, the binding corporate rules regime used by some of the world’s biggest international groups must now also be open to challenge. Data protection authorities (such as the ICO) must also intervene to stop transfers under SCCs which are made to countries without an adequate level of protection.”
Fears ease over Brexit data deals…thanks to Facebook
CBI: No deal Brexit will rock data industry from day one
Industry calls for Brexit ‘Plan B’ as budget growth stalls
Japan seals EU data transfer deal as UK firms await fate
Industry fears mount over prospect of no-deal Brexit
Industry urged to back Brexit deal to secure data flows
DMA gives cautious backing to draft Brexit data deal
DMA issues dire warning over post-Brexit data transfers
Firms urged to set up their own EU data transfer deals
Cameron takes charge of safe harbour backlash
New ruling halts US data transfer