ECJ hears case which could upend international data transfer rules
European judges have heard a vital case which has the potential to upend the global regime for transferring personal data.
On 9 July Max Schrems an Austrian privacy activist took a long-running legal battle against Facebook over its data transfers to the U.S. to the European Union's highest court for a second time.
While the case concerns just one company, it could have wide reaching ramifications for the mechanisms for transferring personal data, and depending on the outcome of the Brexit negotiations, enormous consequences for companies operating in the UK that exchange data with the EU and the rest of the world.
The underlying question on which the European Court of Justice (ECJ) heard arguments is whether Facebook's Dublin-based subsidiary can legally transfer users' personal data to the U.S. parent company.
However, the full scope of the case means that it brings into question the validity of both the EU-US Privacy Shield and Standard Contractual Clauses (SSC’s). SCCs are a critical part of the data transfer regime under GDPR as they are the primary mechanism to allow an EU company to transfer personal data to another company if that company exists in a country without an EU adequacy agreement.
Were the ECJ to rule against either Privacy Shield or SCCs as legal forms of transfer, it would significantly reduce the options available to ensure the free flow of personal data.
Max Schrems also brought the 2013, appeal to the ECJ, following the Edward Snowden revelations, that resulted in the striking down of the EU – US Safe Harbour framework. That decision caused major problems for companies working across the EU and US, with one company reporting having to change 2 million contracts to ensure the legality of data flows. The striking down of Safe Harbour resulted in crisis meetings between the US and the EU to agree a new relationship, resulting in Privacy Shield.
While Schrems has not brought the case with the aim of invalidating Privacy Shield or SCCs, the Irish court from which this case has been referred has set a total of 11 questions to be answered by the ECJ , these have the potential to result in a decision invalidating both Privacy Shield and the SCCs. Data protection lawyers will therefore be watching the for the ECJ’s decision very closely.
The case also creates a potentially massive headache for UK firms of we were to leave the EU in October with No Deal. Advice from both Government and the Information Commissioner has highlighted that companies preparing for a potential No Deal should ensure that SCCs form part of all personal data transfers from the EU to the UK, in order to ensure they are legally valid in the event of No Deal. Should SCCs then be struck down, this planning could have been for nothing and the already limited options for enabling the free flow of data would be even further restricted.
The concern highlights again why a No Deal Brexit is such a risk for the tech sector. In order to avoid relying on SCCs the UK will need to go through the process of securing an adequacy decision from the European Commission. An adequacy agreement is achievable during a transition period, but the length of time that this will take is uncertain. The shortest decision was concluded in 18 months and the European commission will not begin the process until the UK is a third country, after it has left the EU.
The timing of the ECJ case is therefore critical. The first step will be for the Advocates General of the ECJ to issue a preliminary, non-binding opinion to the court. This is expected on 12 December. The advocates general decision often foreshadows the final ruling of the court meaning we will get a good measure of the likely outcome of the case in December.
The final, binding, decision from the court is due in early 2020.
The optimal outcome for the industry is that SSCs are not invalidated as this would have huge ramifications, not just for the UK, but for the global regime for transferring data. techUK will continue to monitor the progress of the case at the ECJ and will seek to advice members on what they can do depending on the outcome.
Latest News from
G7 Summit: techUK urges leaders to align on digital policies23/08/2019 10:05:00
Ahead of the G7 Summit, techUK urges leaders to make progress in aligning digital policies and boosting the growth of the digital economy.
Explaining adequacy; personal data transfers to the EEA under no deal22/08/2019 16:25:00
Transfering personal data from to the EEA will become harder under no deal, here techUK explains why, and the next steps the UK should take.
PublicTechnology catch up with GDS Innovation lead Sue Bateman22/08/2019 13:05:00
GDS Innovation Lead Sue Bateman explores the Innovation Strategy’s chances of a lasting-legacy.
New Local Public Services Committee announced21/08/2019 14:15:00
techUK delighted to announce the members of the Local Public Services Committee.
Local Digital Fund open for next round of funding for councils20/08/2019 13:05:00
Councils looking to improve public services through digital technology can apply for funding from today.
Justice & Emergency Services Management Committee: Quarterly Statement16/08/2019 09:20:00
Following on from the great engagement from the Chair’s Interim Statement in May, the Justice & Emergency Services Management Committee are releasing a quarterly communication.
£250m NHS AI Lab Announced15/08/2019 11:10:00
The Prime Minister, Health Secretary, NHS CEO and NHSX CEO came out in force last week to announce a £250m fund to ‘boost artificial intelligence to solve some of the biggest challenges facing the NHS’.
Government announce CSIIF funding and UK Cyber Council Delivery Lead14/08/2019 16:05:00
The third round of funding through the Cyber Skills Immediate Impact Fund (CSIIF) has been launched today by Cyber Security Minister Nigel Adams.