Businesses worldwide brace for ECJ ruling on data transfers

Visual representation of GDPR and the UK's independence from the EU

On Thursday the European Court of Justice is expected to deliver a highly anticipated ruling that could have profound implications for how businesses across the world transfer personal data to and from the European Union.

Two important decisions will be made: whether standard contractual clauses are valid for transferring data out of the EU to the rest of the world, and whether Privacy Shield is adequate for data transfers from the EU to the US.

If both of these are ruled to be invalid, it's very likely that businesses in the UK, the US, and anywhere that has dealings with EU data would find it incredibly difficult to extract personal data from the EU legally. This will be particularly alarming for any international businesses that have offices in the EU, as customer data, partner data, and some internal data collected by HR are all likely to be affected by this ruling.

What is ‘Facebook Ireland vs Max Schrems’ looking at?

The case in question originally came from a dispute between Facebook Ireland and privacy activist Max Schrems, but has since ballooned into something far more profound.

Standard contractual clauses (SCCs) act as an addendum to contracts, allowing companies to bake in data protection rules that dictate what parties involved can and can’t do with data. This effectively allows businesses to bypass the need to underpin their data transfers with national data protection laws, something which is incredibly useful when sending data to countries that do not have a formal data partnership with the EU.

Facebook came to rely on SCCs following an earlier challenge in 2015, once again by Max Schrems, over the company’s use of Safe Harbour, the data transfer arrangement between the EU and the US and a precursor to today’s Privacy Shield. Schrems won that case, which resulted in the invalidation of Safe Harbour, forcing Facebook to SCCs as an alternative.

In the current case, Schrems claims that Facebook's use of standard contractual clauses to underpin their data transfers between its Ireland headquarters and its head office in Silicon Valley is unjustified, arguing that these do not provide enough safeguards for customer data. Specifically, he argued that surveillance arrangements under PRISM allow security services to access transferred data, something which has been ruled incompatible with the EU's Charter of Fundamental Human Rights.

The original complaint argued that SCCs should be judged on a case by case basis, meaning that this particular case should only question Facebook’s actions. However, the European Court of Justice, in cooperation with Ireland’s Data Protection Commission, took the view that the legitimacy of SCCs as a whole should be assessed. The case, therefore, will have profound implications for any business currently using SCCs as a mechanism.

Why is the invalidation of SCCs an issue?

The biggest problem surrounding this case is that businesses have very few mechanisms available to them to legally transfer data, and SCCs are arguably the most convenient for most cases.

By far the best solution for businesses is to operate under an adequacy agreement. This is where the EU recognises a non-EU country as having data protection laws that are as robust as GDPR. Within the scope of data transfers, this means businesses are free to send data to these countries without additional justification. This is regarded as the gold standard, but so far the EU has only recognised 13 countries as being adequate: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the US (through Privacy Shield), with a further agreement being worked on with South Korea.

For any data transfer to a controller or processor based in a country not on that list, a different mechanism is required. This is where SCCs usually come in, as they provide a way of meeting that data protection standard by setting this out in a contract.

This has a major implication for Brexit (see below), as the UK will only be able to negotiate an adequacy agreement with the EU once the transition period ends in January 2021. If the agreement is delayed for any reason, this could, theoretically, leave the UK without a legal mechanism for receiving data from the EU.

Beyond these two mechanisms, it becomes increasingly difficult to operate legally under GDPR. One option businesses do have is to use Binding Corporate Rules (BCRs), which are designed to allow an international company or multinational corporation to transfer personal data from the EU to their affiliates in other countries. However, as you might tell, these only cover internal transfers – that is they do not cover transfers to third parties or suppliers.

RELATED RESOURCE

IT Pro 20/20: How regulation is shaping innovation

The fifth issue of IT Pro 20/20 looks at how new rules are forcing companies to change the way they do business

FREE DOWNLOAD

In reality, only around 180 corporations worldwide use BCRs, according to the BSA Software Alliance, with the majority of businesses using a combination of Privacy Shield (for EU-US transfers) and standard contractual clauses – that is if they aren’t covered by an adequacy agreement.

An invalidation of SCCs would mean that many companies would have no legal alternative for data transfers. How that will look in real terms will depend on the ruling.

How will the ruling affect businesses?

It’s impossible to say what the ruling will be, yet a non-binding opinion offered by the advocate general at the ECJ last December suggested that SCCs were legal provided that adequate data protections were in place and enforced by the companies. However, it’s unclear whether the ECJ will follow this advice.

Outcome 1: SCCs are universally invalid

The most drastic outcome is that SCCs are ruled invalid, which means that they will no longer be legal to use under the scope of GDPR.

This would have profound implications for businesses, as many organisations rely on these, whether solely or in a combination with other mechanisms. This would mean that every business transferring data outside of the EU will need to reassess their processes and, in some cases, scrap these arrangements entirely in order to comply with GDPR.

"Many organisations rely heavily on standard contractual clauses, and though there are various possible outcomes of the CJEU hearing, a worst-case scenario could see standard contractual clauses declared invalid," explains Emma Erskine-Fox, associate at UK law firm TLT. "This would have a significant impact on many organisations, as suitable alternative adequacy mechanisms may prove hard to come by."

Outcome 2: ECJ makes a narrow ruling on SCCs

This is perhaps the most likely outcome. The ECJ could rule that only certain uses of SCCs are invalid, which would be the preferred ruling for most businesses.

In that case, a ruling may require more robust mechanisms for transfers to countries with proven incompatibilities with EU data protection laws or the Charter for Fundamental Human Rights, such as overly-invasive surveillance activities in the US. Equally, the ruling may simply require businesses to adjust current practices in line with new guidance.

Even in this case, businesses will be required to reassess their SCCs and update them where necessary.

Outcome 3: SCCs are valid and no action is required

It’s also possible that the ECJ decides that standard contractual clauses are valid in their current form, although this is unlikely as many legal experts have suggested that some changes will be required.

If SCCs are ruled invalid, what happens next?

If SCCs are ruled to be invalid, organisations and data protection authorities across the European Union, as well as those areas it sends data to, will need time to consider the judgement.

"If you cast your mind back to when Safe Harbor was invalidated, the Article 29 Working Party (now the European Data Protection Board) suggested there might be a grace period of three months for improvement action," says Eleonor Duhs, director of technology, outsourcing and privacy at law firm Fieldfisher. "[The ECJ] may give some time for the Commission to put something else in place. So don't panic, there's going to be time to consider the judgment".

"Are data flows going to stop? It's very unlikely," adds Duhs. "Data is the currency of our modern trade and our global business and that sort of thing. So that would be quite a drastic outcome, I think.”

A grace period is very likely, particularly as many companies will still need to transfer data but face the possibility of doing so without a legal mechanism. In that case, they are weighing up risk of enforcement against business disruption. However, it’s important to note that if a complaint was made by a customer against a company during this grace period, individual national data protection authorities would still be able to take action.

"We would expect there to be a grace period to allow businesses to find an alternative data transfer mechanism, however, it's worth fully investigating the suitability of these alternatives," argues Erskine-Fox. "Privacy Shield only applies to EU-US data transfers and may itself be declared invalid by the Court of Justice of the European Union later this year and Binding Corporate Rules only legitimise intra-group transfers and take months to implement. Other derogations, such as consent, are usually impracticable."

Who will be most affected?

Max Schrems, the activist who brought the challenge against Safe Harbor and eventually kickstarted the SCC review, argues that smaller businesses are likely to be the most affected by any invalidity ruling.

"One thing, especially for smaller businesses, [you should] reconsider if you really need to have data flows to some foreign jurisdiction where all of this is complicated," says Schrems. "I encourage companies to think about the compliance costs, and probably get a local vendor, that may cost 10% more, but gets rid of all kind of international data transfers, if it's relevant for your business. There are ways to oftentimes avoid these minefields by just saying, 'I'd rather give up the 10% that I save with cheaper hosting, [and avoid] a headache and the need for the whole legal department to work on it for a month, because that is technically more expensive than the savings you have."

Emma Erskine-Fox agrees, adding that, while organisations wait for updated guidance from the European Commission, "it's worth assessing whether the relevant transfers are strictly necessary and considering alternative arrangements for data transfers". In some cases, businesses "may wish to consider bringing data back within the EEA to help reduce the impact".

However, not all agree with this sentiment. Mark Taylor, partner at international legal practice Osborne Clarke, argues that while the SCC review represents an "extremely important case for thousands of companies around the world", he believes that data protection regulators will take a pragmatic approach.

"The European Commission has indicated that it is already working on new versions of standard contractual clauses, and it would be sensible to understand the direction and likely outcome of that activity before changing current arrangements," argues Taylor. "In the longer term, any invalidation of standard contractual clauses is likely to drive renewed interest in alternatives, such as binding corporate rules or certification solutions under GDPR."

What does this all mean for Brexit?

Regardless of how Brexit happens, the UK will be attempting to secure an adequacy agreement in order to ensure data is able to flow from the EU to the UK (data from the UK to the EU will continue to flow irrespective of any deal).

While every indication suggests that this will happen, the process for securing such an agreement will only start once the country is out of the EU, and there is no time limit on how long that will take. It's very unlikely that this will be sorted quickly, as no member state has ever attempted to divorce itself from the EU. This effectively forces the UK into a similar situation that the US faced over Safe Harbor, in which companies relied on the use of SCCs to maintain data flows while an agreement was negotiated.

In the event that SCCs are invalidated by the ECJ, this could theoretically leave UK businesses without a legal basis for which to receive data from the European Union, and therefore wide open to GDPR enforcement action.

"Brexit adds additional complexity," explains Bridget Treacy, partner and lead of the UK Privacy and Cybersecurity Practice at Hunton Andrews Kurth. "Once the UK leaves the EU, the UK will be like any other non-EU country in respect of data transfers and EU organisations will need a data transfer mechanism to continue to transfer personal data to the UK."

"In the absence of any period of grace, adopting a 'wait and see' approach during the period between the judgment and the European Commission's decision on new sets of Standard Contractual Clauses, risks a fine of 20,000,000 or 4% of the global annual turnover," she adds. "Clearly this not a practical solution. At a minimum, organisations should ensure they have identified potentially affected data flows, and start to consider whether any of the admittedly limited alternative transfer mechanisms may provide a solution to enable any or all of their data flows to continue."

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.