That’s torn it. The CJEU says Privacy Shield, the deal which lets EU companies send data to the US, is no good. Not only does this cause huge problems for everyone using Apple, Google, Microsoft and about 5,000 other firms – but it also foreshadows real problems for the UK come 2021.
As David Allen Green might put it: Well.
The tl;dr version: Max Schrems, the guy whose lawsuit did for the old Safe Harbour principles allowing trans-Atlantic data exchange, has done it again. He asked the Irish data protection commissioner to ban Facebook from sending his data to the US. The DPC asked the High Court to ask the Court of Justice of the EU. And now the CJEU says Privacy Shield, the mechanism which since 2016 has allowed the US to be seen as an “equivalent jurisdiction” for data protection purposes, isn’t good enough.
This isn’t entirely unexpected. Although the Advocate General’s opinion in December took the view that the Court didn’t have to examine the validity of Privacy Shield (while by no means giving it a clean bill of health), many in the data protection game pointed out that Privacy Shield didn’t resolve some core problems – in particular the fact that nothing in it stops US public authorities from accessing non-US citizens’ personal data well beyond the the boundaries established (since 2018) by GDPR – any more effectively than Safe Harbour had. As such, so the argument went, there wasn’t any good reason why the CJEU would think differently this time around.
And that’s how it’s turned out. The Court (decision here) says Privacy Shield is no good.
To be clear: this isn’t farewell to all trans-Atlantic transfers. If they’re necessary, it’s OK – so this doesn’t stop you from logging into Gmail or looking at a US-hosted website. But EU companies sending their people’s or their customers’ personal data to US servers for processing solely in reliance on Privacy Shield, will need to stop.
And most, on the whole, don’t. Instead, they rely on mechanisms such as standard corporate clauses or SCCs (almost nine-tenths of firms according to some research), which use language approved by the European Commission in 2010.
Today’s ruling says SCCs can stay. But it puts an obligation on data controllers to assess whether the contractual language can really provide the necessary protection when set against the prevailing legal landscape in the receiving jurisdiction, and to suspend transfer if it can’t.
And there’s the cat among the pigeons. Hard-pressed and under-resourced data protection authorities may need to start looking more intently at other jurisdictions, so as to set the boundaries of what’s permissible. And data controllers can’t simply point to the SCCs and say: look, we’re covered.
In other words: Stand by, people. This one’s going to get rocky.
(Obligatory Brexit alert…)
Just as a final word: as my friend Felicity McMahon points out, this is really, really not good news for the UK. When the transition (sorry, implementation) period ends on 31 December 2020, and our sundering from the EU is complete, we will need an adequacy decision if EU firms are to keep sending personal data to the UK unhindered. One view is that since the Data Protection Act 2018 in effect onshores the GDPR wholesale, we should be fine. But there are significant undercurrents in the opposite direction, thanks to our membership of the Five Eyes group of intelligence-sharing nations (with the US, Australia, Canada and New Zealand) and the extent to which (under the Investigatory Powers Act 2016) our intelligence services can interfere with communications.
Since this kind of (relatively) unhindered access by the state is what’s just torpedoed Privacy Shield, I’m not feeling terribly comfortable about the UK’s equivalence prospects. I hope I’m wrong. But I fear I’m not.
As news stories used to say: Developing…