The European Court of Justice has ruled to invalidate the EU-US Privacy Shield agreement on data sharing. Research Associate Oliver Patel (UCL European Institute) explains why this could hamper EU-US data flows and be a problem for Brexit Britain.
For the past 20 years the European Commission has invested much political capital in ensuring that data can flow freely from the EU to the US. On July 16, the European Court of Justice (ECJ) ruled to invalidate the EU-US Privacy Shield agreement on data sharing, on the grounds that the US is not a safe haven for EU citizens’ data due to disproportionate surveillance practices. That is a hammer blow to the Commission, and a monumental headache for thousands of US companies.
The judgement could hamper EU-US data flows, which underpin digital trade and much economic activity - from emails to clinical trials. It is also a problem for Brexit Britain. The UK is trying to secure an EU data adequacy decision that will allow data to move freely from the EU to the UK after Brexit. The ECJ could be an extra hurdle to that goal, and this ruling could lead to severe disruption to EU-UK data flows in the long-term.
The (now invalid) EU-US Privacy Shield permits unrestricted transfers of personal data from the EU to over 5,300 US-based companies, which sign up to more rigorous data protection standards than US law requires. Activities like using Gmail, video calls on Zoom, or running CRM reports on Salesforce are all enabled by Privacy Shield. US technology corporations prefer to streamline data processing in fewer data centres, and most small companies use the services of tech giants (like cloud providers AWS and Microsoft Azure) - hence the significant volume of EU-US data flows.
Privacy Shield’s invalidation means that the chief mechanism used to transfer data to the US can no longer be used. Businesses can, however, continue to transfer data using "Standard Contractual Clauses", which Thursday’s ruling upheld. Most Privacy Shield-certified companies will likely resort to them. But this will be a costly bureaucratic and legal exercise for many firms, as some companies will have to negotiate and sign thousands of new contracts. These costs will be especially threatening to startups and small businesses.
Worse, today’s judgement calls into question the very idea that SCCs might work as a reliable and long-term mechanism for EU-US data transfers. Judges have now asked that data exporters using these agreements prove, before transferring data to the US, that the data will be afforded equivalent levels of protection as within the EU. Given today’s strong ruling, it is difficult to see how this will be possible.
The judgement, indeed, encourages EU data protection authorities to investigate and potentially suspend SCCs used to transfer data to the US, and activists will no doubt pursue such cases with gusto. In the long run, without Privacy Shield, and with the potential suspension of critical (or potentially all) SCCs, serious disruption to EU-US data flows is highly likely.
It is possible that the US and the EU will try to hammer out a third data transfer agreement (Privacy Shield’s predecessor Safe Harbour was invalidated in 2015), but the room for manoeuvre and political goodwill has been compromised. The US is not going to reform its national security and surveillance legislation in pursuit of an EU data transfer agreement, so it is difficult to imagine what a resolution could look like.
Looking across the pond, the situation is hardly cheerier. The fall of the Privacy Shield also complicates an already difficult process for the UK in seeking a data adequacy decision from the EU.
The UK wants unrestricted data transfers with both the EU and the US. The former would ideally be achieved via an EU adequacy decision, whereby the European Commission formally recognises the UK as a safe haven for data transfers. The latter was going to be achieved by the UK and US essentially copying the EU-US Privacy Shield, which had been "rolled over" in UK law before Brexit. Today’s invalidation undermines both plans.
The EU will be concerned that if companies transfer EU citizens’ data to the UK, the UK might in turn transfer that data to the US, under the unlawful Privacy Shield framework. Put simply, the UK may not be granted adequacy if it is seen as backdoor to unprotected US data transfers. The UK will have to decide what is more important: data flows with the EU or the US?
Furthermore, today’s judgement could alter the European Commission’s approach in granting adequacy decisions. The Commission has generally been flexible and pragmatic in ensuring the continuation of EU-US data flows and it is fair to argue that such flexibility may also be afforded to the UK, depending on the progress of the Brexit negotiations.
But now, the Commission will want to avoid another defeat in court and will carefully consider whether the UK’s national security system is compatible with EU law. The UK and US systems are not identical, but the Commission will be more wary when conducting the UK adequacy assessments.
If the UK fails to attain an adequacy decision, data exporters and regulators may also be sceptical of the use of SCCs to transfer data from the EU to the UK, rendering these mechanisms vulnerable. This could result in severe disruption to EU-UK data flows in the long-term. This would be damaging for the UK’s services-based economy and especially problematic for the finance, life sciences and digital tech sectors, particular data centres and cloud service providers.
That said, neither the ECJ nor data protection regulators can turn off the internet. Despite the judgement, huge volumes of EU-US data transfers will continue unabated, either via SCCs or unlawfully, and it is difficult to imagine any legal ruling or political agreement ever stopping this. Despite the complications for the UK, an adequacy decision is still very much in play, as the Commission strongly desires to keep the data flowing.
This article was first published in Wired on 17 July.