Lawyers say the ruling represents a “worrying prelude” to Britain’s negotiations with the European Commission, writes Oscar Williams.
Legal experts have warned that the Court of Justice of the European Union’s (CJEU) surprise decision to invalidate an EU-US data-sharing agreement will dash hopes of Britain securing its own EU data deal after Brexit.
The influential international court handed down the ruling on Thursday morning after concluding that mechanisms, dubbed Privacy Shield, to protect European data from US state surveillance were inadequate.
It marks the second time the CJEU has invalidated an EU-US data-sharing agreement, having scrapped the previous Safe Harbour deal in 2015. Both cases were brought by the Austrian privacy campaigner Max Schrems in light of revelations made by Edward Snowden, the American whistle-blower.
In a statement, the court said: “The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country […] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”
However, the court did not invalidate the standard contractual clauses used by many tech companies, including Facebook, to transfer EU data to the US. This means that firms will still be able to legally move European citizens’ data to the US, albeit with a higher administrative burden.
Thomas Boue, director-general of Europe, Middle East and Africa policy at the Business Software Alliance, told the Financial Times: “We are relieved that SCCs [standard contractual clauses] remain valid, which is a positive outcome. But today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic.”
Partner at Osborne Clarke Tamara Quinn notes that when Safe Harbour was invalidated, businesses were given a grace period to reform how they transferred personal data to the US. “Let’s hope they are afforded the same this time around,” she says.
“Little, if any, enforcement action”
However, the extent to which the ruling will protect user privacy has been called into question by some legal experts. Speaking to NS Tech, Ross McKenzie, a partner at the law firm Addleshaw Goddard, warns that under the terms of the ruling, “already over-stretched data protection officers” (DPOs) will be forced to scrutinise data transfers more carefully than ever – with businesses expected to suspend transfers if there is a risk the provisions cannot be complied with”.
But he adds: “It is already a difficult task to manage international data transfers, and this new expectation may not be received well by boards of management operating in a global industry. In reality, DPOs are likely to struggle to achieve meaningful engagement, particularly when there is little, if any, enforcement action in this area by regulators in this space.”
UK data adequacy deal
One of the most significant consequences of the ruling might be what it means for the UK’s chances of securing a post-Brexit data adequacy decision.
In November last year, the UK signed a deal with the US making it easier for British law enforcement agencies to obtain data stored in the US, and vice versa. The European Data Protection Board has already warned that the deal could jeopardise the UK’s chance of securing a data adequacy decision.
But McKenzie warned that today’s CJEU ruling will cast further doubt on the prospects of a UK-EU data deal.
“This finding is a worrying prelude for the UK’s hopes of a ruling that their data protection laws are adequate in the eyes of Europe,” he says. “The fact that the UK has had condemnation from Europe for their surveillance laws will not bode well in light of the renewed criticism of the US’s attitude to snooping. The impact of the UK not being found as having adequacy will be a blow to our economy, which depends so much on the free flow of data.”
Quinn adds: “The CJEU’s decision to invalidate the EU-US Privacy Shield raises significant concerns about transfers of personal data from the EU to the UK post-Brexit. The CJEU took issue with the lack of limitations in US law on the access and use by US public authorities of data transferred from the EEA to the US. To have any hope of achieving adequacy, the UK will need to show that the same cannot be said here”.