On 9 July Max Schrems an Austrian privacy activist took a long-running legal battle against Facebook over its data transfers to the U.S. to the European Union's highest court for a second time.
While the case concerns just one company, it could have wide reaching ramifications for the mechanisms for transferring personal data, and depending on the outcome of the Brexit negotiations, enormous consequences for companies operating in the UK that exchange data with the EU and the rest of the world.
The underlying question on which the European Court of Justice (ECJ) heard arguments is whether Facebook's Dublin-based subsidiary can legally transfer users' personal data to the U.S. parent company.
However, the full scope of the case means that it brings into question the validity of both the EU-US Privacy Shield and Standard Contractual Clauses (SSC’s). SCCs are a critical part of the data transfer regime under GDPR as they are the primary mechanism to allow an EU company to transfer personal data to another company if that company exists in a country without an EU adequacy agreement.
Were the ECJ to rule against either Privacy Shield or SCCs as legal forms of transfer, it would significantly reduce the options available to ensure the free flow of personal data.
Max Schrems also brought the 2013, appeal to the ECJ, following the Edward Snowden revelations, that resulted in the striking down of the EU – US Safe Harbour framework. That decision caused major problems for companies working across the EU and US, with one company reporting having to change 2 million contracts to ensure the legality of data flows. The striking down of Safe Harbour resulted in crisis meetings between the US and the EU to agree a new relationship, resulting in Privacy Shield.
While Schrems has not brought the case with the aim of invalidating Privacy Shield or SCCs, the Irish court from which this case has been referred has set a total of 11 questions to be answered by the ECJ , these have the potential to result in a decision invalidating both Privacy Shield and the SCCs. Data protection lawyers will therefore be watching the for the ECJ’s decision very closely.
The case also creates a potentially massive headache for UK firms of we were to leave the EU in October with No Deal. Advice from both Government and the Information Commissioner has highlighted that companies preparing for a potential No Deal should ensure that SCCs form part of all personal data transfers from the EU to the UK, in order to ensure they are legally valid in the event of No Deal. Should SCCs then be struck down, this planning could have been for nothing and the already limited options for enabling the free flow of data would be even further restricted.
The concern highlights again why a No Deal Brexit is such a risk for the tech sector. In order to avoid relying on SCCs the UK will need to go through the process of securing an adequacy decision from the European Commission. An adequacy agreement is achievable during a transition period, but the length of time that this will take is uncertain. The shortest decision was concluded in 18 months and the European commission will not begin the process until the UK is a third country, after it has left the EU.
The timing of the ECJ case is therefore critical. The first step will be for the Advocates General of the ECJ to issue a preliminary, non-binding opinion to the court. This is expected on 12 December. The advocates general decision often foreshadows the final ruling of the court meaning we will get a good measure of the likely outcome of the case in December.
The final, binding, decision from the court is due in early 2020.
The optimal outcome for the industry is that SSCs are not invalidated as this would have huge ramifications, not just for the UK, but for the global regime for transferring data. techUK will continue to monitor the progress of the case at the ECJ and will seek to advice members on what they can do depending on the outcome.