MAX POWER – Is the US-UK-EU Special Data Relationship Over?
MAX POWER – Is the US-UK-EU Special Data Relationship Over?
Partner and Head of Creative, Digital & Marketing Law at BLM, Steve Kuncewicz looks at a key new development in cross-border data law.
It’s been two years since the coming into force of the GDPR and Data Protection Act 2018, and while there has been a huge amount of thought, debate and effort put into how businesses should react to the amplified effect of EU and UK data protection law, strengthened rights of individuals in the event that their personal data is misused and increased sanctions in the event of that misuse alongside a stream of both helpful and unhelpful Court decisions which appear to make seeking redress through proceedings progressively easier, the issue of how personal data can and should be shared with businesses and other entities based in the US has rumbled along fairly quietly and with less fanfare.
The reason for this is the operation of the fantastically-named “Privacy Shield”.
What is the "Privacy Shield" and what does it protect?
The GDPR restricts the transfer of personal data (i.e. any information which refers either in whole or in part to an identifiable, living individual) outside to the EU to ensure that the privacy rights of its citizens remain protected and not undermined by other countries who may not meet their high standards. However, as personal data has increasingly become a hugely valuable commodity and key to the operation of the global social media and commerce ecosystem, EU data protection law has developed a number of mechanisms to ensure the international protection of EU data subject rights, including designating some countries as having “adequate” data protection laws and treated to all intents and purposes as if they were a part of the EU to which personal data can be transferred freely, making sure that data transfers take place subject to approved standard contractual clauses, or the implementation of “binding corporate rules” between the parties involved in the transfer.
What is "Safe Harbour"?
You may be forgiven for thinking that, as such an important trading partner and home to many of the global tech giants dependent upon the free flow of personal data, the United States would be viewed as an “adequate” destination, previously covered by a data transfer agreement with the EU referred to as “Safe Harbour”. This was the case until October 2015, as a result of privacy activist Max Schrems complaining to the Irish Data Protection Commissioner over the transfer of personal data relating to EU citizens to Facebook’s US business – who are required by US law to make that information available to authorities including the CIA, FBI and NSA for use in mass national security programmes which could be objected to by US citizens alone. Schrems’ concern, shared by a great many social media users, was that their activity would be spied upon and their rights seriously undermined by widespread and unjustifiable surveillance by the US Government.
As such, when Schrems’ case came before the European Court of Justice in 2015 and in the absence of an adequacy decision in favour of the USA, “Safe Harbour” was replaced by the “Privacy Shield”, which allowed for data transfers from the EU to the USA as a result of participating companies being deemed to have adequate protection through the ability of EU citizens being able to seek enhanced protection and redress for misuse of their personal data and the improvement of transparency relating to personal data use. Under the auspices of the Privacy Shield, the flow of personal data between the EU and USA has continued for the best part of 5 years.
Until, that is, the recent decision in Max Schrems' second, reformatted compliant to the Irish DPC heard by the ECJ on 16 July. Like Safe Harbour before it, Privacy Shield has been declared invalid on the basis that it didn’t do enough to protect the privacy of EU Citizens as a result of the continued activity of US government surveillance – which can go beyond access that it strictly necessary and without challenge through the US Courts. However, standard contractual clauses remain a workable framework – at least for the time being, until another regulator may rule that even they don’t go far enough if they can’t be complied with in a country without an adequacy decision to which personal data is transferred from the EU.
So, is this the 'datapocalypse'?
It’s complicated. Not only does the US not have an adequacy decision in its favour, there is a risk that the UK may not easily be able to obtain one post-Brexit if it continues to share personal data with the USA – an issue already flagged up as part of that debate.
Businesses will need to revisit their personal data transfer arrangements to see which have relied upon the protection of the Privacy Shield and look to impose standard contractual clauses wherever they can.
It’s likely to be some time before we see the full effect of Schrems’ one-man crusade against indiscriminate surveillance across social media, but this interventionist move by the EU may lead to the hasty introduction of a new agreement with the US to allow for the “safe” transfer of personal data or see businesses working overtime to find new or kitbash existing legal methods to legitimise them. The ICO will provide guidance sooner rather than later, but until then it’s going to be up to the market and their lawyers to plug compliance gaps or potentially face GDPR fines at the levels they’ve been warned about since 2018. Individuals more aware of their privacy rights will expect nothing less, and possibly far more.
Disclaimer: This document does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to customers of BLM. Specialist legal advice should always be sought in any particular case.