UK firms may soon find it impossible to legally receive data from the EU

Businesses hold their breath as ECJ debates landmark case on standard contractual clauses

Visual representation of GDPR and the UK's independence from the EU

UPDATE 8/07/2020: This case will now be heard on Thursday 16 July where we expect a final judgement to be made. It's still unclear precisely what that judgement will be, however, a previous non-binding opinion by the advocate general for the Court of Justice of the European Union stated that SCCs were legal provided that necessary data protections were in place. Our original article explaining the background of this case continues below.

Advertisement - Article continues below

Ever since the invalidation of the US-EU Safe Harbor agreement in 2015, the transfer of data beyond the jurisdiction of European data protection laws has come under increased scrutiny.

Such scrutiny, in fact, that over the next several months it's likely we will see the most widely used mechanism for data transfers being ruled invalid by the European Court of Justice (ECJ), something that could have a profound impact on businesses once the transition period comes to an end in January 2021.

The case being heard will assess the legitimacy of the standard contractual clause (SCC), a mechanism that many businesses use to adhere to GDPR laws when sending data beyond EU jurisdiction.

SCCs allow one organisation to bake data protection obligations into a contract with another organisation, a useful tool for legally transferring data to those countries yet to be deemed 'adequate' by the EU. This is also a mechanism many UK-based businesses had hoped to rely upon in order to maintain smooth data flows post-Brexit.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Facebook Ireland's data-sharing arrangement with its US headquarters is perhaps the most famous instance of this in action, with the company relying heavily on SCCs since the invalidation of Safe Harbor.

Safe Harbor 2.0

The history of this case dates back to the invalidation of Safe Harbor in 2015, and could constitute an article on its own.

However, simply put, Facebook's reliance on SCCs raised the question as to whether the mechanism is robust enough to protect the data rights of EU residents when data is transferred to countries outside of the EU. This includes the US, where surveillance arrangements under PRISM allow security services to access transferred data, something which has been ruled incompatible with the EU's Charter of Fundamental Human Rights.

So far, the EU has recognised adequacy agreements with 13 countries: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the US (through Privacy Shield), with a further agreement being worked on with South Korea. For any data transfer to a controller or processor based in a country not on that list, standard contractual clauses are required.

What happens if SCCs are ruled invalid?

No one quite knows what the ECJ ruling will look like, but the consensus from the legal community is "don't panic".

Advertisement - Article continues below

If SCCs are ruled universally invalid, however, every business transferring data outside of the EU will need to reassess their processes and in some cases, scrap these arrangements entirely in order to comply with GDPR.

"Many organisations rely heavily on standard contractual clauses, and though there are various possible outcomes of the CJEU hearing, a worst-case scenario could see standard contractual clauses declared invalid," explains Emma Erskine-Fox, associate at UK law firm TLT. "This would have a significant impact on many organisations, as suitable alternative adequacy mechanisms may prove hard to come by."

Advertisement
Advertisement - Article continues below

Yet it's also possible that the Court of Justice will take a fairly narrow view of SCCs, rather than rule them to be universally invalid for all transfers. In that case, a ruling may require more robust mechanisms for transfers to countries with proven incompatibilities with EU data protection laws or the Charter for Fundamental Human Rights, such as overly-invasive surveillance activities in the US. Equally, the ruling may simply require businesses to adjust current practices in line with new guidance.

Advertisement - Article continues below

What we do know is that if SCCs are ruled to be invalid, organisations and data protection authorities across the European Union, as well as those areas it sends data to, will need time to consider the judgement.

"If you cast your mind back to when Safe Harbor was invalidated, the Article 29 Working Party (now the European Data Protection Board) suggested there might be a grace period of three months for improvement action," says Eleonor Duhs, director of technology, outsourcing and privacy at law firm Fieldfisher. "[The ECJ] may give some time for the Commission to put something else in place. So don't panic, there's going to be time to consider the judgment".

"Are data flows going to stop? It's very unlikely," adds Duhs. "Data is the currency of our modern trade and our global business and that sort of thing. So that would be quite a drastic outcome, I think."

Related Resource

IT Pro 20/20: How regulation is shaping innovation

The fifth issue of IT Pro 20/20 looks at how new rules are forcing companies to change the way they do business

Download now

A grace period would mean delayed enforcement against those that continue to rely on SCCs, but individual national data protection authorities would still be able to take action against a company using a standard contractual clause during this time, if they felt it infringed on the data rights of their citizens.

Advertisement - Article continues below

What's more, there are currently no viable alternatives for organisations to fall back on in the event that SCCs are invalidated.

Advertisement
Advertisement - Article continues below

"We would expect there to be a grace period to allow businesses to find an alternative data transfer mechanism, however, it's worth fully investigating the suitability of these alternatives," argues Erskine-Fox. "Privacy Shield only applies to EU-US data transfers and may itself be declared invalid by the Court of Justice of the European Union later this year and Binding Corporate Rules only legitimise intra-group transfers and take months to implement. Other derogations, such as consent, are usually impracticable."

Who will be most affected?

Max Schrems, the activist who brought the challenge against Safe Harbor and eventually kickstarted the SCC review, argues that smaller businesses are likely to be the most affected by any invalidity ruling.

Related Resource

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

"One thing, especially for smaller businesses, [you should] reconsider if you really need to have data flows to some foreign jurisdiction where all of this is complicated," says Schrems. "I encourage companies to think about the compliance costs, and probably get a local vendor, that may cost 10% more, but gets rid of all kind of international data transfers, if it's relevant for your business. There are ways to oftentimes avoid these minefields by just saying, 'I'd rather give up the 10% that I save with cheaper hosting, [and avoid] a headache and the need for the whole legal department to work on it for a month, because that is technically more expensive than the savings you have."

Advertisement - Article continues below

Emma Erskine-Fox agrees, adding that, while organisations wait for updated guidance from the European Commission, "it's worth assessing whether the relevant transfers are strictly necessary and considering alternative arrangements for data transfers". In some cases, businesses "may wish to consider bringing data back within the EEA to help reduce the impact".

However, not all agree with this sentiment. Mark Taylor, partner at international legal practice Osborne Clarke, argues that while the SCC review represents an "extremely important case for thousands of companies around the world", he believes that data protection regulators will take a pragmatic approach.

Advertisement
Advertisement - Article continues below

"The European Commission has indicated that it is already working on new versions of standard contractual clauses, and it would be sensible to understand the direction and likely outcome of that activity before changing current arrangements," argues Taylor. "In the longer term, any invalidation of standard contractual clauses is likely to drive renewed interest in alternatives, such as binding corporate rules or certification solutions under GDPR."

What does this all mean for Brexit?

Regardless of how Brexit happens, the UK will be attempting to secure an adequacy agreement in order to ensure data is able to flow from the EU to the UK (data from the UK to the EU will continue to flow irrespective of any deal).

Advertisement - Article continues below

While every indication suggests that this will happen, the process for securing such an agreement will only start once the country is out of the EU, and there is no time limit on how long that will take. It's very unlikely that this will be sorted quickly, as no member state has ever attempted to divorce itself from the EU. This effectively forces the UK into a similar situation that the US faced over Safe Harbor, in which companies relied on the use of SCCs to maintain data flows while an agreement was negotiated.

In the event that SCCs are invalidated by the ECJ, this could theoretically leave UK businesses without a legal basis for which to receive data from the European Union, and therefore wide open to GDPR enforcement action.

"Brexit adds additional complexity," explains Bridget Treacy, partner and lead of the UK Privacy and Cybersecurity Practice at Hunton Andrews Kurth. "Once the UK leaves the EU, the UK will be like any other non-EU country in respect of data transfers and EU organisations will need a data transfer mechanism to continue to transfer personal data to the UK."

Advertisement - Article continues below

"In the absence of any period of grace, adopting a 'wait and see' approach during the period between the judgment and the European Commission's decision on new sets of Standard Contractual Clauses, risks a fine of 20,000,000 or 4% of the global annual turnover," she adds. "Clearly this not a practical solution. At a minimum, organisations should ensure they have identified potentially affected data flows, and start to consider whether any of the admittedly limited alternative transfer mechanisms may provide a solution to enable any or all of their data flows to continue."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020