Companies that routinely transfer data between the EU and the US are currently scrambling to find a legal way to do so, after Europe’s top court voided the previous mechanism, the EU-US Privacy Shield.
The decision made today by the European Court of Justice (ECJ), has been met with shock by much of the technology and business community. However, it has been welcomed by privacy campaigners, including Max Schrems, the Austrian that brought the case, who called it a “100% win”.
The case challenged the established EU-US Privacy Shield, which allowed companies to sign up to higher privacy standards prior to transferring data to the US. However, Schrems argued that it did not effectively protect EU citizens from US government surveillance, an argument that the ECJ has today upheld.
After a first read of the judgement on #PrivacyShield it seems we scored a 100% win – for our privacy
The US will have to engage in serious surveillance reform to get back to a "privileged" status for US companies.
— Max Schrems 🇪🇺🇦🇹 (@maxschrems) July 16, 2020
EU-US data sharing to be reconsidered as Privacy Shield struck down
For companies, this means they now have to find a new solution – and quickly.
“Every company which uses the Privacy Shield scheme to justify EU to US bulk data transfers now needs to find another legal route to justify the transfer,” said Daniel Tozer, head of data and technology at Harbottle & Lewis.
“These companies will be seeking urgent proposals from national data protection regulators for transition arrangements to be put in place whilst they make the changes.”
Darren Wray, CTO at Guardum, added that it would “leave many companies on both sides of the Atlantic scrambling to adjust their processes”.
“What this means for any organisation relying on the Privacy Shield is that they will no longer be able to share EU personal information when sending documents to businesses in the US,” he said.
“In many cases, the personal information may not be vital to the process, but the historically manual process of redacting documents has meant that organisations have taken the easy route by ensuring that their US partners are registered and comply with the Privacy Shield programme.”
For some companies, the solution is likely to be a reconsideration of cross-continental data sharing at all.
“There now aren’t many other options for EU-US data transfers and some companies will decide that these data transfers are no longer appropriate and will restructure their operations to reduce or remove such transfers,” said Tozer.
“A case-by-case assessment of data flows to the US and other countries with potential surveillance issues is required urgently.”
Challenges ahead for regulators
Notably, this is set to place a significant burden on regulators to find a solution to the now-voided EU-US Privacy Shield.
“This crying out for urgent guidance from regulators. It is impractical for any but the largest businesses to do this assessment,” said Renzo Marchini, privacy, security and information partner at Fieldfisher.
He drew particular attention to Standard Contractual Clauses (SCCs), which – as a result of the ruling – will now be subject to increased scrutiny, but are permitted to be used. However he argued that these too could be seriously impacted by the ruling.
“It will be difficult for the regulators to allow SCCs for transfers to the US. If there is too much scope for intrusion into European individuals’ privacy under Privacy Shield, how can there not be for SCCs?
“The regulators are themselves in an unenviable position. They are supposed to police these assessments and transfers. Even if a transfer relies on SCCs, a transfer should be stopped if the regulator identifies that the protections are not there (and the business carried on regardless).”
Brexit brings data sharing challenges to the UK
Of course, the looming spectre of Brexit also adds an additional complication to the situation, as many expect data sharing between the UK and the EU to be subject to similar scrutiny to that shared with the US following the UK’s departure.
“The ruling on the Privacy Shield is likely to have implications for the UK’s hopes for a post-Brexit data protection adequacy ruling from the European Commission,” said Bridget Treacy, data privacy partner at Hunton Andrews Kurth LLP.
“The UK can expect its surveillance laws to be subject to similar scrutiny to those of the US, to assess whether they respect the privacy rights of EU citizens.”
This is a view echoed by Harbottle & Lewis’s Tozer.
“Following the transition period, the UK will become a ‘third country’ to the EU,” he said.
“This judgement raises questions about the UK’s ability to be awarded data protection “adequacy” by the EU, given the UK’s own surveillance laws and its membership of the Five Eyes programme. Data transfers between the EU and the UK from 1 January 2021 could well become very challenging indeed.”