Companies hope to avoid ‘catastrophic’ EU data-transfer ruling
An impending privacy ruling has the potential to wreak havoc for companies transferring data outside the EU.
Legal experts are confident that a “worst case” judgment will not be reached, but still warn of far-reaching implications.
It involves a case against Facebook by a privacy defender who contested sending his information to the United States.
Thousands of companies rely on existing measures, which are at risk.
The case before the European Court of Justice (ECJ) is complex, but it partly depends on the concern that U.S. law requires Facebook to hand over personal data to authorities such as the National Security Agency or the FBI.
Max Schrems, an Austrian citizen, filed a case in 2013 after Edward Snowden’s losses revealed the extension of U.S. surveillance.
As a result, the European Court of Justice canceled the long-standing Safe Harbor agreement in 2015.
Subsequently, the EU and the United States have come up with alternatives, which Schrems has again contested, and this is now before the European Court of Justice.
“The concern has always been: when the data leaves Europe, what’s going on? They may not have equivalent rights and people may not have equivalent protection,” explained Jonathan Kewley, co-manager of the law firm Clifford Chance.
- Facebook questioned the data transfers in court
- Google and Facebook face GDPR complaints
Most large companies use what are called SCCs – pre-established, non-negotiable contracts entered into by Europe, which legally commit companies to meet certain standards.
An opinion written by an advocate general written in December recommended that the SCCs remain, despite some concerns. However, the court is not required to follow this recommendation and may still declare them invalid.
Kewley said it was “unlikely”, but if that happened, it would be “rather catastrophic”.
“It would be an extreme and unwelcome decision … and I’m not just talking about tech companies. It’s all about the business.”
This would affect most countries outside the EU. For example, it could affect a company that wants to send human resources or wage data to a location outside the EU or that wants to store personal data in cloud storage located in the United States.
This would not affect strictly necessary data transfers, for example by sending an email to a hotel overseas to book a room or visit a website based in China.
Kewley said that a “far more likely scenario” is that SCCs will be monitored more closely in the future, or considered on a case-by-case basis.
Any decision is unlikely to affect the UK, even after the end of the Brexit transition period later this year.
European GDPR (General Data Protection Regulation) rules have been adopted in UK law and it is widely expected – though not certain – that a so-called “adequacy decision” will be granted, effectively stating that the rules on UK privacy is up to the EU standard.
This could change in the future if the UK changes its laws to deviate from current rules.