Europe’s top court will decide on Thursday whether the legal agreements used by companies to share data between…
Europe, the US and other countries are in breach of European law.
The European Court of Justice’s (ECJ) decision could cause disruption for companies that rely on contractual agreements known as standard contractual clauses (SCCs) to share data overseas in compliance with European data protection laws.
Businesses are also bracing themselves for the “nuclear option” that the court may opt to strike down Privacy Shield, the overarching agreement that allows Europe and the US to share data, without falling foul of Europe’s data protection laws.
The case, brought by the Irish data protection commissioner Helen Dixon, is part of a long-running battle fought by Austrian lawyer Max Schrems against Facebook Ireland. Schrems is challenging the legality of the social media company’s transfer of personal data to the US.
At its heart is the clash between Europe’s General Data Protection Regulation (GDPR), which gives European citizens the right to data privacy, and US mass surveillance legislation, which give the US intelligence agencies access to the data from companies such as Facebook once it reaches US shores.
The Irish High Court has referred 11 questions to the European Court of Justice, which will give its response this week.
Decision ‘critical for international trade’
For companies that rely on SCCs and Privacy Shield to share data overseas, there is a lot riding on the court’s decision.
“The importance is huge, because the case is questioning the legal mechanism that everyone takes for granted that has been in operation for decades to transfer data from Europe to anywhere else in the world,” said Eduardo Ustaran, a partner at law firm Hogan Lovells.
Eleonor Duhs, Fieldfisher
Eleonor Duhs, director of the privacy and information law group at law firm Fieldfisher, said the case could have implications for international trade.
“Part of our way of doing international trade is about processing, exchanging and sharing personal data,” she said. “So this case, which talks about whether that’s lawful or not, is absolutely crucial. And the question is, can that continue?”
According to the Business Software Alliance, one of the parties in the case, as of October 2019 more than 5,000 companies across the US relied on Privacy Shield. Over 100,000 companies use SCCs to share data with the US and other countries.
Advocate General: Ireland’s Data Protection Commissioner should take action
The European Court of Justice normally – but not always – follows the opinion of the Advocate General.
In December 2019, the Advocate General, Henrik Saugmandsgaard Øe, issued a preliminary opinion that found standard contractual clauses were lawful.
He argued that responsibility for SCCs should fall into the hands of national data protection supervisors – in this case the Irish Data Protection Commissioner – to suspend data transfers if they fail to meet EU law.
Although Saugmandsgaard Øe found that the European Court of Justice did not need to make a decision on Privacy Shield, he did raise serious questions about its legality.
“I have doubts about the validity of the finding that the US guarantees, in the context of their intelligence services…an adequate level of protection,” he said.
It is far from certain, however, that the European Court of Justice will follow Saugmandsgaard Øe’s recommendations.
According to people familiar with the proceedings, in contrast to Saugmandsgaard Øe, the judge presiding over the case appeared to take the view that the court could not rule on standard contractual clauses without also ruling on the validity of Privacy Shield.
There are a range of scenarios that the court could consider, ranging, at the most extreme, from invalidating SCCs or Privacy Shield, or both.
The court could also choose to keep SCCs as they are, but give companies more responsibility for ensuring they comply with EU data protection law.
And it may argue that the Irish Data Protection Commissioner, Helen Dixon, already has the powers she needs to annul individual SCC agreements, such as the agreement between Facebook Ireland and Facebook Inc in the US.
Scenario 1: Court invalidates SCCs
For businesses, the worst-case scenario would be a decision by the court to declare standard contractual clauses invalid.
“That would be huge,” said Fieldfisher’s Duhs, “because that’s the most usual mechanism used to transfer data.”
Research by the International Association of Privacy Professionals shows that around 88% of international transfers rely on SCCs.
“If the court says SCCs are not lawful, that is really, really significant and really worrying,” she said.
Scenario 2: Court invalidates Privacy Shield
It is possible, though less likely, that the court may decide to invalidate Privacy Shield.
Facebook introduced legal arguments about Privacy Shield late into the case, arguing that if US surveillance law is not a bar for Privacy Shield, then it should not be a barrier for SCCs.
Nevertheless, there is precedent here. Back in 2015, the Court of Justice ruled that Privacy Shield’s predecessor, Safe Harbour, was invalid.
Then the court found that Safe Harbour was unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe, and therefore did not provide an adequate level of data protection.
Scenario 3: Court delays decision on Privacy Shield
One likely outcome is that the ECJ will wait for another case before deciding on the future of Privacy Shield.
That case may not be long in coming. Privacy Shield faces a separate legal challenge from the French online privacy and anti-censorship group La Quadrature Du Net (LQDN) and others, in the General Court of the EU, a lower court than the Court of Justice.
They argue that Privacy Shield breaches the fundamental rights to privacy under the Charter of Fundamental Rights of the European Union, that Privacy Shield fails to assure European citizens effective remedies against misuse of their data in the US, and that it does not offer equivalent protection to EU data laws.
The EU and the US have held intensive discussions on the future of Privacy Shield, anticipating that even if it is not invalidated, this time around, it may come in for criticism from the ECJ.
Scenario 4: Court puts onus on companies to police SCCs
Another scenario is that the European Court of Justice follows the Advocate General by allowing SCCs to remain valid.
But it will put the onus on companies to ensure that when they exchange data with the US, they are doing so in compliance with EU law.
That could mean requiring US companies to disclose transparency reports about their disclosure of data to US intelligence services, and it could require them to oppose national security requests for data that conflict with EU law.
“You would need to top up SCCs with a contract that provides greater transparency. You can have a contract that says if you have disclosure, make sure they comply with law, require a court order, only respond in a minimal way,” said Hogan Lovells’ Ustaran.
Scenario 5: Data protection commissioners will police SCCs
The court may, however, choose to reinforce the role that data protection commissioners already have in policing the adequacy of standard contractual clauses.
This is an option that the Irish data protection commissioner, Helen Dixon, rejected in the dispute between Schrems and Facebook.
Gerard Rudden, Ahern Rudden
Dixon argued that if she took action in Ireland, that risked creating a lack of harmonisation across the EU. She referred the matter to the European Court of Justice for clarity.
Gerard Rudden, partner at Ahern Rudden, who represents Schrems, regards a decision by the European Court of Justice to require Ireland’s data protection commissioner to suspend data flows from Facebook to the US as the best outcome for his client.
“That is what we have sought and that is what the Advocate General has recommended to the court,” he said.
The data protection commissioner could have suspended Facebook’s data sharing with the US four years ago, without a diversion to the ECJ.
“As a result of not doing this, there’s been four years of data flows that shouldn’t have taken place between Facebook Ireland and Facebook Inc for 250 million or 300 million Facebook users,” said Rudden.
“What we say is that it’s unnecessary for Facebook to transfer all of this data to the US. It might be necessary for them for their structural reasons and for their profitability. But it’s not actually strictly necessary,” he said.
Schrems: Impact of decision could be limited
Schrems argues that the potential impact of a court ruling that makes data transfers to the US more difficult has been exaggerated by companies and lobby groups.
If the case goes the way of the Advocate General’s opinion, and puts the onus on data protection authorities to suspend data sharing with the US, the majority of organisations sharing data with the US will not be affected.
The companies that will be affected are “electronic service providers”, including Facebook, that have legal obligations to share personal data with the US National Security Agency, and other US government organisations.
“SCCs can still be used in certain industry sectors in the US. For example, defence, airlines, hotels, manufacturing, logistics – all of that does not fall under these US surveillance laws. So there is no reason to stop the data transfer here,” he said.
Other companies may decide simply to store their data in Europe. “That’s often cheaper for companies because there’s just less compliance cost. You don’t need lawyers, you don’t need paperwork, you can just get a server more or less overnight.”
Data transfers will not dry up immediately
Whatever the decision, data transfers between the EU and the US or the EU and other countries will not stop overnight. “I think there would have to be a grace period,” said Duhs.
“I can’t see them enforcing straightaway against companies. I think data transfers are part of international trade and that needs to keep going, particularly in the current crisis where we’ve all had so much strain on resources. I think, you know, suddenly stopping all data flows would be a huge barrier for trade,” she said.
“The world is not going to stop, but regulators will encourage businesses to find other mechanisms to transfer their data,” said Ustaran.
“Businesses will be under pressure to justify to their compliance teams, their auditors, that their operations are lawful. They will need to come up with ways to mitigate the privacy of their data when they transfer data overseas.”
The European Commission is developing new standard contractual clauses and is likely to accelerate that work if the court finds problems with the existing SCCs.
Nevertheless, the transition period may be difficult for companies, said Duhs, and will inevitably take up time and resources. “At a time when businesses are struggling with resource anyways, this would be very unwelcome, I think, and problematic.”
Implications for Brexit
The European court’s decision may also have implications for the UK after Brexit. Data transfers from the UK to the EU will be unaffected until 2024.
The big question is whether the EU concludes that the UK offers EU citizens adequate protection for their data, under the UK’s surveillance law, the Investigatory Powers Act.
If not, companies will need to rely on standard contractual clauses to transfer data from the EU to the UK. “We won’t yet know what the outcome of these negotiations will be,” said Duhs.