One of the clearest signs of life returning to something like normal as far as the European Union (“EU”) was concerned after the spate of Covid-19 related lockdowns in the first half of 2020 was the decision of the European Court of Justice (“ECJ”) in the litigation brought by Max Schrems regarding the operation of international data transfers of personal data from the European Economic Area (“EEA”) to other jurisdictions with a particular focus on the United States (“US”).
Mr Schrems had achieved notoriety in 2015 with the first case that he brought to the ECJ which had the effect of striking down the US Safe Harbor scheme under which the personal data of EU citizens had previously been processed in the US. As a consequence the European Commission and the US Presidential administration had hastily agreed to the establishment of the EU-US Privacy Shield in 2016. The Shield and the accompanying register had been established as a method to ensure the processing of EU citizens data in a manner consistent with EU data protection laws including GDPR which had been approved by the European parliament in 2016 but would not take direct effect across the EEA until May 2018.
The fact that Mr Schrems indicated his intention to launch a fresh round of litigation to challenge the mechanism of the Privacy Shield once its details were published indicated that the Shield was no more than a sticking plaster over a much bigger problem – the massive inconsistency between EU data protection law and the evolving rights and freedoms EU data subjects enjoy and the position in the US where there is no federal data protection law and the piece meal approach by state legislatures to data protection across the 51 states. Sure enough the Privacy Shield faced a series of challenges including an annual joint review by the European Commission and the US Federal Trade Commission (“FTC”). These annual reports indicated a regular pattern of problems with the operation of the scheme being highlighted by the European Commission and the lack of progress towards resolving these problems on the US side. For example one consistent stumbling block was that the appointment of the ombudsperson mandated by the scheme remained on a “interim” basis for the majority of the schemes operation.
Neither the EU or the US could bring themselves to make a final break and walk away however and it was left to the impending decision on Mr Schrems case to finally decide the issue. Chief amongst the concerns highlighted by Mr Schrems included the routine surveillance practices of the US security services who openly surveille the personal data of all non US citizens stored on servers and infrastructure based in the US. In effect these practices make it impossible for US corporations to sign the privacy shield register and make commitments regarding the security, integrity and onward transfer of personal data when such data is exposed to a high level of surveillance beyond the control of any corporation. As a result the Shield has been found to be invalid and can no longer be relied on as a mechanism to underpin the transfer, processing and retention of the personal data of EU citizens in the US by corporations from Nike to Amazon and Facebook.
The immediate consequence of this is that instead organisations have to rely on the presence of Standard Contractual Clauses (“SCC’s”) in all of their data transfer agreements. These clauses are mandated by the European Commission and amount to a significant addition to any agreement where they are not already present. Just to add to the fun these clauses are now almost a decade old and the European Commission had already announced its intention to update these clauses and was purposely waiting to do so pending the outcome of the Schrems litigation. New SCC’s are expected to be published before the end of the year.
A final complication is added by the departure of the UK from the EU on 31 December 2020 with, at time of writing, no agreement in place regarding the future state of relations. In had been hoped that an adequacy decision from the EU in favour of the UK would have been made, facilitating the unhindered transfer of personal data from the EU to the UK. Despite the incorporation of GDPR into UK law by the UK Data Protection Act 2018, the surveillance practices of the British state may lead to an adequacy decision not being forthcoming. As a result, in the face of uncertainty organisations in the EU will be advised ensure SCC’s are in place in data transfer agreements from the EU to both the UK and US. This may appear to be only a minor complication until the breadth of suppliers, partners, stakeholders and other third party data processors behind the average organisation are taken into account. One compliance officer I recently spoke to was leading a review of over 3000 individual contracts to ensure compliance across the board. Consequently for many organisations demonstrating compliance regarding international data transfers to data protection regulators may be rather easier said than done.