ECJ ruling causes data transfer headache for CIOs

A new ruling from the European Court of Justice (ECJ) could have major implications for how data is transferred around the world.

On 16 July, the Data Protection Commissioner vs Facebook Ireland case was ruled upon, following up on the ECJ’s 2015 ruling in Maximillian [Max] Schrems vs Data Protection Commissioner, in which it invalidated the adequacy decision underlying the EU-US Safe Harbour arrangement.

The latest ruling, dubbed Schrems II, affirmed the validity of Standard Contractual Clauses (SCCs) for data transfers, but invalidated a decision that was the legal basis of the EU-US Privacy Shield – the successor to the Safe Harbour agreement.

Late last year, the ECJ decided that personal data transfers from tech companies in the EU to US were valid, after it examined the case brought by Austrian privacy activist and lawyer Max Schrems.

He argued in 2013 that the Edward Snowden disclosures showed there was no effective data protection regime in the US, to which Facebook responded that the General Data Protection Regulation (GDPR) rules made the case irrelevant.

In May 2016, the protection of personal data officially became a fundamental right in the European Union. In safeguarding this right, the European Commission assesses whether countries meet certain standards. The Privacy Shield was essentially the seal of approval for the US and allowed personal data to be transferred between the EU and the US.

This month's ruling has now invalidated the Privacy Shield, due to concerns over US surveillance programmes. Companies will now have to lean more than ever on SSCs to demonstrate compliance, putting the responsibility on chief information officers (CIOs) and chief information security officers (CISOs) to determine whether they trust the integrity of a US company.

Challenges created

The Software Alliance (BSA) responded to the ruling by pointing out the challenge created for more than 5,300 US-based companies - including over 250 with headquarters in Europe - that relied on the Privacy Shield to transfer personal data to and from Europe.

Thomas Boué, director general of policy for EMEA at BSA, commented: “70 per cent of the companies certified to the Privacy Shield were SMEs, and they will now have to spend time and resources finding alternatives to carry out daily business transactions like processing payroll, sending emails, or storing documents on cloud-hosted servers.”

“Companies need to have reliable and stable mechanisms to send data from the EU to the US – this is an unwelcome development at a time when businesses on both sides of the Atlantic are focusing on recovering from the economic impacts of COVID-19 and are increasingly relying on data-driven tools and services to do so,” he added.

Neil Stone, head of marketing for data collection firm SmartSurvey, stated that many data controllers won’t be sure what they have to do now. “Cue lawyers looking very happy, as this ruling means they have just got a whole load busier – the reality is many businesses will need more legal support to ensure they are compliant and can continue to operate.”

For software providers that solely relied on Privacy Shield, their legal teams will most likely be feverishly updating terms, conditions and issuing updated versions of existing contracts if they wish to continue processing EU data.

“It’s very possible that the EU and the US will try to resolve these issues and reach a new agreement,” said Stone. “However, this could take some time and there is limited room for manoeuvre – it’s also unlikely the US will reform its approach to surveillance legislation and national security just for an EU data transfer agreement.

A spokesperson for the Information Commissioner’s Office said: “We stand ready to support UK organisations and will be working with UK government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”

SSCs to the rescue?

SCCs are the main transfer mechanism used by 90 per cent of companies that transfer data internationally. Issued by the EU Commission, these clauses impose a range of contract-based obligations to help ensure EU law’s privacy protections flow with any personal data sent outside of the EU.

Bill Mew, founder and chief executive of Crisis Team, explained that in order to continue using SCCs, organisations must ensure that data transferred to the US is properly encrypted to protect it when in transit and is then stored beyond the reach US surveillance laws.

“All organisations now need to conduct an urgent review to see if they or any of their sub-contractor(s) are subject to relevant US surveillance laws - they certainly apply to all US data processors or cloud firms - and if their data transfers are encrypted to a level that ensures that ‘tapping’ during transfer is impossible,” he said.

“In fear of fines and litigation, organisations will inevitably shift sensitive data back to the EU and place it with local providers rather than US electronic communications service providers,” Mew continued, suggesting that this will massively shift the dynamics of the European cloud market.

Cloud consequences

“A few local cloud players that already have achieved critical mass, and that either operate only in the EU or have operations in both the US and EU that are ‘air gapped’ with capital structures to protect them from seizures under the CLOUD Act, will be ideally placed to clean up here,” he added, noting that the recent European cloud Gaia-X initiative will also get a shot in the arm.

Sam Curry, chief security officer at Cybereason, saw the positive that something will emerge to replace Privacy Shield, but warned that whatever comes next “can’t be a short-term fix” and has to address the fundamental, de facto difference in attitudes on both sides of the Atlantic.

“On one side we have a central government that is consistently valuing security and safety over confidentiality and privacy, on the other side, we have an association of 27 states which all have equal sovereignty and gravitate more to confidentiality and privacy.”

In an increasingly cloud dependent world, exacerbated by remote working and the decentralisation of IT, it becomes necessary to have data autonomy in spite of whose machines are running beneath the cloud abstraction.

Planning for the future

“The short term is that we get a Safe Harbor 3.0 with a new name and hopefully more longevity with the ECJ, or companies must find ways to get their act together and satisfy both European laws and US laws through the mechanisms of business, technology and legal contracts,” commented Curry. “It’s time to start architecting for the future regardless of what mechanisms emerge to replace the now broken Privacy Shield.”

David Dumont, data privacy partner at law firm Hunton Andrews Kurth, stated that for transfers currently based on the Privacy Shield, the options for alternative mechanisms are extremely limited, as the court pointed to the derogations listed in the GDPR as potential alternatives – but for most data transfers these are likely to be cumbersome to use.

“For businesses with significant data flows, it will be important to develop a structured and efficient process to tackle this,” he said. “Guidance from regulators will be required to assist companies in going through this exercise, as those considering a switch from the Privacy Shield to SCCs to legitimise their data flows urgently need clear information from the European Commission about the timing of its revised sets of SCCs.”

The European data protection Supervisory Authorities, together comprising the European Data Protection Board (EDPB), have published some guidance on the Schrems judgment, although there is little in the way of concrete, practical guidance.

The EDPB reminds EU businesses that they must understand their chain of processing and be clear about where their data are processed, and whether the laws of the relevant country ensure an EU standard of data protection. If not, they must re-negotiate their contracts to forbid transfers to those countries.

"Of interest too is the fact that the Binding Corporate Rules (BCRs) transfer mechanism is specifically called out," noted Dumont. The EDPB considers that transfers under BCRs have exactly the same problem as transfers under SCCs.

"As matters stand, it is by no means clear how affected businesses can navigate these challenges, yet they cannot stand back and do nothing - a risk based approach will be required."

He added that the ruling is likely to encourage data localisation, with some already calling for European data to be processed in the EU. "There is also a possibility that the legal framework in certain countries will be regarded as too risky to accommodate EU personal data, with potentially serious repercussions for global commerce."

    Share Story:

Recent Stories