The European Court of Justice (CJEU) has invalidated the Privacy Shield framework for data sharing between the US and EU countries, creating new challenges for future data transfers.
Invalidation of the framework means that EU countries will now have to sift through US law documents to ensure data transfers between them are lawful.
Countries that were working to replace Privacy Shield with standard contractual clauses (SCCs) have been told they must now take more responsibility to ensure that they are compliant with EU data protection and human rights laws.
The ruling comes after a case brought by the Irish data protection commissioner, Helen Dixon, against Austrian lawyer Max Schrems and Facebook.
Talking at an online conference, Dixon said that the decision had “put a spotlight” on the need for businesses to carry out legal assessments before data-sharing with countries outside of Europe.
“The judgment is clear that that is what is going to be required. That burden for smaller companies is enormous,” she said.
“As director of a data protection authority conducting that analysis, it is an extremely labour-intensive, expensive process. The challenges are enormous.”
In response to the ruling, European countries that rely on Privacy Shield for data transfers are waiting for guidance from EU data protection regulators, who have yet to respond to questions.
The European Data Protection Supervisor (EDPS) said in a statement that it will “continue to strive for a coherent approach among supervisory authorities regarding international transfers” and is “analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies.”
The ruling could have massive implications for technology companies in Britain as the country prepares to leave the EU.
The decision could have ramifications for UK-based organisations that currently transfer data to the US after the transition period ends.
A spokesperson from the Information Commissioner’s Office (ICO) said the organisation will do all it can to protect British businesses: “The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy,” it said.
“We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”
- Report | Employee Mistakes Cause Almost Half of Cybersecurity Issues
- Comment | How Covid-19 and Global Politics Have Disrupted Digital Connectivity
- Russia Report Reveals Interference in Scottish Independence Referendum
Mark Kahn, general counsel and vice-president of policy at Segment, a supplier of customer data platform services, told ComputerWeekly that the court has made a “strong statement” in favour of individual data protection rights, and indirectly set an “interesting challenge” for the UK’s future data relationship with the EU.
Bridget Treacy, the data privacy partner at Hunton Andrews Kurth LLP, a London-based law firm, also spoke to ComputerWeekly: “There has obviously been very extensive scrutiny of the US agencies’ and intelligence services’ powers to commandeer information and gain access to it, just as with every other country that has made it onto the European adequate list.
“The UK is also going to be subject to that scrutiny. So once we’re outside the EU and applying for adequacy recognition from the European Commission, we can expect that our legislation will also be subject to scrutiny just as the US has been and, indeed, as other countries on the adequate list will have been as well.
“That’s where there’s uncertainty, and you know there will be close scrutiny and there will probably be some issues raised. I don’t think it’s a straightforward path at all for the UK to pass that test and to be designated as adequate.”