JOHN THYS/AFP via Getty Images
show image

“A worrying prelude”: What the ECJ’s Privacy Shield ruling means for a UK data adequacy deal

The European Court of Justice’s (ECJ) surprise decision to invalidate an EU-US data sharing agreement could deal a blow to Britain’s efforts to secure its own EU data deal after Brexit, legal experts have warned.

The influential international court handed down the ruling on Thursday morning after concluding that mechanisms, dubbed Privacy Shield, to protect European data from US state surveillance were inadequate.

It marks the second time the ECJ has invalidated an EU-US data sharing agreement, having scrapped the previous Safe Harbour deal in 2015. Both cases were brought by the Austrian privacy campaigner Max Schrems in light of revelations made by Edward Snowden, the American whistleblower.

In a statement, the court said: “The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country […] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”

However, the court did not invalidate the standard contractual clauses (SCCs) used by many tech companies, including Facebook, to transfer EU data to the US. This means that firms will still be able to legally move European citizens’ data to the US, albeit with a higher administrative burden. Thomas Boue, director-general of Europe, Middle East and Africa policy at the Business Software Alliance, told the Financial Times: “We are relieved that SCCs remain valid, which is a positive outcome. But today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic.”

Tamara Quinn, a partner at Osborne Clarke, noted that when Safe Harbour was invalidated, businesses were given a grace period to reform how they transferred personal data to the US. “Let’s hope they’re afforded the same this time around.”

“Little, if any, enforcement action”

However, the extent to which the ruling will protect user privacy has been called into question by some legal experts. Speaking to NS Tech, Ross McKenzie, a partner at the law firm Addleshaw Goddard, warned that under the terms of the ruling, “already over-stretched data protection officers” (DPOs) will be forced to scrutinise data transfers “more carefully than ever – with businesses expected to suspend transfers if there is a risk the provisions cannot be complied with”.

But he added: “It is already a difficult task to manage international data transfers, and this new expectation may not be received well by boards of management operating in a global industry. In reality, DPOs are likely to struggle to achieve meaningful engagement particularly when there is little, if any, enforcement action in this area by regulators in this space.”

UK data adequacy deal

One of the most significant consequences of the ruling might be what it means for the UK’s chances of securing a post-Brexit data adequacy decision.

In November last year, the UK signed a deal with the US making it easier for British law enforcement agencies to obtain data stored in the US, and vice versa. The European Data Protection Board has already warned that the deal could jeopardise the UK’s chance of securing a data adequacy decision.

But McKenzie warned that today’s ECJ ruling will cast further doubt on the prospects of a UK-EU data deal. “This finding is a worrying prelude for the UK’s hopes of a ruling that their data protection laws are adequate in the eyes of Europe,” he said. “The fact that the UK has had condemnation from Europe for their surveillance laws will not bode well in light of the renewed criticism of the US’s attitude to snooping. The impact of the UK not being found as having adequacy will be a blow to our economy which depends so much on the free flow of data.”

Quinn added: “The ECJ’s decision to invalidate the EU-US Privacy Shield raises significant concerns about transfers of personal data from the EU to the UK post-Brexit. The ECJ took issue with the lack of limitations in U.S. law on the access and use by US public authorities of data transferred from the EEA to the US. To have any hope of achieving adequacy, the UK will need to show that the same cannot be said here”.