The Court of Justice of the European Union (CJEU) just delivered their Schrems II judgment, writing a new chapter of the never ending saga about the adequacy of US privacy standards. The case called into question the legitimacy of Facebook transfers of personal data from the European Union to the United States, and ended up invalidating the Privacy Shield decision of the European Commission (a certification mechanism which allowed US companies to adhere to EU data protection laws).
Although related to the US legal system, Schrems II sent a clear and wide-ranging message: free flow of personal data can take place only and insofar third countries provide adequate protection for EU citizens rights over their own data. Needless to say, this judgement has important implications for the United Kingdom as well, which will be leaving the EU by the end of this year.
Adequacy decision and surveillance laws
The CJEU ruled that processing of personal data by a country outside the EU for state security purposes does not fall outside the scope of the GDPR. In turn, it invalidated Privacy Shield on the basis that
- EU citizens do not have any available means to contest a decision made by US state security agencies, or seek remedies against the misuse of their personal data under US surveillance laws;
- US state security laws fail the proportionality and rule of law tests, thus being incompatible with the Charter of Fundamental Rights of the European Union.
This judgment should ring a bell in Number 10, as the UK plans to diverge from EU data protection regulatory framework. On top of that, UK law enforcement agencies recently enraged EU Member States by making illegal copies of the Schengen II database.
Finally, plans to enter into a trade agreement with the US are now clashing against a judgement which declared US surveillance laws incompatible with the GDPR. This also calls into question the recent data sharing agreement with the US for investigative purposes, and its consequences for the level of protection UK law provides against US surveillance practices.
Standard Contractual Clauses and implications for businesses
The CJEU also covered the validity of Standard Contractual Clauses (SCCs) — contractual terms that can be implemented by EU and non-EU companies to ensure data protection in third-countries which lack an adequacy decision. In this regard, the Court confirmed the validity of the SCCs, but subjected their adequacy to a case-by-case analysis.
In practical terms, it means that UK businesses relying on SCCs to receive personal data from the EU will need to prove that their legal obligations under UK law do not impede them to honour the provisions of these clauses. Otherwise, the Court stated, “data importers” have the duty to inform their EU counterpart about their inability to stand by these terms. Likewise, EU companies willing to transfer personal data to the UK will have to check the enforceability of SCCs terms against UK surveillance laws before commencing the transfer, or suspend it in case it becomes clear that the UK regime does not adequately protects personal data.
This part of the judgement is incredibly relevant for UK businesses. If unable to demonstrate compliance, and in the absence of an adequacy decision, the only option left to process EU personal data would be to obtain the explicit consent of the data subject. Such a scenario would inherently hinder their ability to conduct business with EU companies, as data transfers would face heavy legal and organisational burdens.
Data Protection Authorities have a duty to act
Finally, the CJEU ruled that Data Protection Authorities have the obligation to act upon having ascertained an infringement. This is an outstanding blow to the Irish Data Protection Commissioner, which has been refusing to enforce data protection laws for almost four years, and was recently caught advising Facebook on how to bypass GDPR rules.
However, our Information Commissioner’s Office (ICO) should read this judgement very carefully as well: their recent behaviour has been far from exemplary, and almost two years after ascertaining that Online Advertising practices are infringing EU law, any meaningful regulatory response is yet to be seen. Furthermore, Google relies both on Privacy Shield and SCCs to process personal data, and the Real-Time-Bidding system makes no exception: given the CJEU judgement, it is now clear that the ICO must order Google to stop transferring bidding data to the US.
The UK stands at a crossroads. We can implement strong data protection standards and review domestic surveillance laws, or we can leave our privacy rights to the mercy of US state and corporate surveillance.
Open Rights Group has very clear ideas about which road we should take: more than half of UK international trade in services is linked to the EU and, given these premises, we believe the Government should aim to attain the conditions which allow businesses to freely exchange personal data. Furthermore, choosing not to do so would undermine citizens’ fundamental rights, jeopardising their privacy alongside their purses.
Finally, it is worth noticing that several countries have been implementing data protection laws in line with the GDPR, and even in the US there have been some States—such as California and Vermont—which adoped new legislation to strengthen privacy rights.
Times are changing, and the UK Government needs to realise that strong data protection standards are now a fundamental premise for trade relationships, as well as for consumer protection and citizens’ participation to the Internet ecosystem. If you want to stay tuned, take a look at our campaign page, or join us, and contribute to the future of data protection in the UK.