This article was first published in Computer Weekly, October 2017
Businesses face new uncertainty over their ability to share data with the US, as Europe’s highest court reassesses the legality of the EU’s model data-sharing contracts
The Irish courts have ruled that the highest court in the EU will again need to look at the legality of the ways in which data can be transferred to the US. The potential implications of the ruling are huge. One need only look to the widespread uncertainty and panic that resulted from the EU court’s 2015 decision on this issue invalidating Safe Harbor, a widely-used legal mechanism that allowed for EU-US data flows.
At issue this time are the standard contractual clauses – a set of model contract terms approved by the European Commission (EC) that allow the parties that have signed up to share data outside the EU. Far more businesses rely on these than ever relied on Safe Harbor. Indeed, following the demise of Safe Harbor, the standard contractual clauses ironically became a “safe harbour” for most business affected, allowing them to continue sharing data with those in the US. A ruling to invalidate them would make regular sharing of data with companies outside the EU almost impossible for most, unless an alternative solution can be found.
The risk is at least not immediate – a judgment will take at least 18 months, during which time the standard contractual clauses remain valid. However, this underlines the challenges of finding a long-term solution. One gets the sense from the judgment that the EC – the architect of Safe Harbor and its replacement, Privacy Shield(along with the US) and the standard contractual clauses – may be running out of road. Key measures adopted by the EC recently did not encourage the Irish courts that EU data is being protected in the US.
One of the major criticisms of the European court in 2015 was that Safe Harbor restricted the ability of the European data protection regulators (DPAs) to do their job. This type of restriction was also a feature of the standard contractual clauses. The EC made some crucial changes at the end of 2016, ensuring DPAs had powers to intervene and suspend transfers that breached EU law. Despite these changes, the Irish court held that there was “a strong argument” that the vesting of such powers in each competent DPA “does not provide the answer to the concerns raised”. A more uniform solution may be required, but it is unclear what that would look like in practice.
The ruling also delivered a blow to Privacy Shield. The creation of the ombudsman mechanism under Privacy Shield, through which EU citizens could refer questions and receive assurance that the intelligence community was complying with applicable laws, was heralded as a major breakthrough. The Irish court, however, was less than persuaded of its merit. “I share what I consider to be the well-founded concerns…the ombudsperson mechanism does not remedy the issues”, the judge said. The ruling comes at a crucial time for Privacy Shield, which has just undergone its joint annual review by the EC and the collective body of EU DPAs, with many calling for significant improvements to be made for it to remain viable.
There are some important differences between the Safe Harbor and standard contractual clauses and talk of the latter’s demise may be premature – particularly before seeing the questions the European court is being asked to answer. For instance, from May 2018, EU data protection laws adopt a truly global reach, impacting US organisations collecting EU data directly, which could affect the European court’s assessment.
Whatever the ultimate decision of European courts, this ruling creates even more uncertainty and doubt for the foreseeable future. Although businessess can be encouraged that over the last few years, the EC has shown itself to be more than capable of moving quickly to put in place legal mechanisms to allow for transatlantic data transfers – albeit temporary and imperfect ones.
Finally, spare a thought for the UK, which is pushing hard to achieve “mutual recognition” of data protection laws with the EU. There are serious doubts as to whether it will be able to do so and this judgment again reinforces the difficulties it faces. What should perhaps worry the UK even more, however, is that even the fall-back mechanisms, such as standard contractual clauses, may not be a viable long-term solution.