UK firms may soon find it impossible to legally receive data from the EU
Businesses hold their breath as ECJ debates landmark case on standard contractual clauses
Ever since the invalidation of the US-EU Safe Harbor agreement in 2015, the transfer of data beyond the jurisdiction of European data protection laws has come under increased scrutiny.
Such scrutiny, in fact, that over the next several months it's likely we will see the most widely used mechanism for data transfers being ruled invalid by the European Court of Justice (ECJ), something that could have a profound impact on businesses once the UK leaves the EU on 31 October.
The case being heard, often referred to as Safe Harbor 2.0, is assessing the legitimacy of the standard contractual clause (SCC), a mechanism that many businesses use to adhere to GDPR laws when sending data beyond EU jurisdiction.
SCCs allow one organisation to bake data protection obligations into a contract with another organisation a useful tool for legally transferring data to those countries yet to be deemed 'adequate' by the EU. This is also a mechanism many UK-based businesses had hoped to rely upon in order to maintain smooth data flows post-Brexit.
Facebook Ireland's data sharing arrangement with its US headquarters is perhaps the most famous instance of this in action, which has relied heavily on SCCs over the years, particularly since the invalidation of Safe Harbor.
The ECJ had its first hearing on the case on 9 July, however, legal experts anticipate a final ruling is many months away.
Safe Harbor 2.0
The history of this case dates back to the invalidation of Safe Harbor in 2015, and could constitute an article on its own.
However, simply put, Facebook's reliance on SCCs raised the question as to whether the mechanism is robust enough to protect the data rights of EU residents when data is transferred to countries outside of the EU for example, the US, where surveillance arrangements under PRISM allow security services to access transferred data, have been ruled to be incompatible with the EU's Charter of Fundamental Human Rights.
So far, the EU has recognised adequacy agreements with 13 countries: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the US (through Privacy Shield), with a further agreement being worked on with South Korea. For any data transfer to a controller or processor based in a country not on that list, standard contractual clauses are required.
What happens if SCCs are ruled invalid?
No one quite knows what the ECJ ruling, whenever that appears, will look like, but the consensus from the legal community is "don't panic".
If SCCs are ruled universally invalid, however, every business transferring data outside of the EU will need to reassess their processes and in some cases, scrap these arrangements entirely in order to comply with GDPR.
"Many organisations rely heavily on standard contractual clauses, and though there are various possible outcomes of the CJEU hearing, a worst-case scenario could see standard contractual clauses declared invalid," explains Emma Erskine-Fox, associate at UK law firm TLT. "This would have a significant impact on many organisations, as suitable alternative adequacy mechanisms may prove hard to come by."
Yet it's also possible that the Court of Justice will take a fairly narrow view of SCCs, rather than rule them to be universally invalid for all transfers. In that case, a ruling may require more robust mechanisms for transfers to countries with proven incompatibilities with EU data protection laws or the Charter for Fundamental Human Rights, such as overly-invasive surveillance activities in the US. Equally, the ruling may simply require businesses to adjust current practices in line with new guidance.
What we do know is that if SCCs are ruled to be invalid, organisations and data protection authorities across the European Union, as well as those areas it sends data to, will need time to consider the judgement.
"If you cast your mind back to when Safe Harbor was invalidated, the Article 29 Working Party (now the European Data Protection Board) suggested there might be a grace period of three months for improvement action," says Eleonor Duhs, director of technology, outsourcing and privacy at law firm Fieldfisher. "[The ECJ] may give some time for the Commission to put something else in place. So don't panic, there's going to be time to consider the judgment".
"Are data flows going to stop? It's very unlikely," adds Duhs. "Data is the currency of our modern trade and our global business and that sort of thing. So that would be quite a drastic outcome, I think."
A grace period would mean delayed enforcement against those that continue to rely on SCCs, but individual national data protection authorities would still be able to take action against a company using a standard contractual clause during this time, if they felt it infringed on the data rights of their citizens.
What's more, there are currently no viable alternatives for organisations to fall back on in the event that SCCs are invalidated.
"We would expect there to be a grace period to allow businesses to find an alternative data transfer mechanism, however, it's worth fully investigating the suitability of these alternatives," argues Erskine-Fox. "Privacy Shield only applies to EU-US data transfers and may itself be declared invalid by the Court of Justice of the European Union later this year and Binding Corporate Rules only legitimise intra-group transfers and take months to implement. Other derogations, such as consent, are usually impracticable."
Who will be most affected?
Max Schrems, the activist who brought the challenge against Safe Harbor and eventually kickstarted the SCC review, argues that smaller businesses are likely to be the most affected by any invalidity ruling.
"One thing, especially for smaller businesses, [you should] reconsider if you really need to have data flows to some foreign jurisdiction where all of this is complicated," says Schrems. "I encourage companies to think about the compliance costs, and probably get a local vendor, that may cost 10% more, but gets rid of all kind of international data transfers, if it's relevant for your business. There are ways to oftentimes avoid these minefields by just saying, 'I'd rather give up the 10% that I save with cheaper hosting, [and avoid] a headache and the need for the whole legal department to work on it for a month, because that is technically more expensive than the savings you have."
Emma Erskine-Fox agrees, adding that, while organisations wait for updated guidance from the European Commission, "it's worth assessing whether the relevant transfers are strictly necessary and considering alternative arrangements for data transfers". In some cases, businesses "may wish to consider bringing data back within the EEA to help reduce the impact".
However, not all agree with this sentiment. Mark Taylor, partner at international legal practice Osborne Clarke, argues that while the SCC review represents an "extremely important case for thousands of companies around the world", he believes that data protection regulators will take a pragmatic approach.
"The European Commission has indicated that it is already working on new versions of standard contractual clauses, and it would be sensible to understand the direction and likely outcome of that activity before changing current arrangements," argues Taylor. "In the longer term, any invalidation of standard contractual clauses is likely to drive renewed interest in alternatives, such as binding corporate rules or certification solutions under GDPR."
What does this all mean for Brexit?
Regardless of how Brexit happens, the UK will be attempting to secure an adequacy agreement in order to ensure data is able to flow from the EU to the UK (data from the UK to the EU will continue to flow irrespective of any deal).
While every indication suggests that this will happen, the process for securing such an agreement will only start once the country is out of the EU, and there is no time limit on how long that will take. It's very unlikely that this will be sorted quickly, as no member state has ever attempted to divorce itself from the EU. This effectively forces the UK into a similar situation that the US faced over Safe Harbor, in which companies relied on the use of SCCs to maintain data flows while an agreement was negotiated.
In the event that SCCs are invalidated by the ECJ, this could theoretically leave UK businesses without a legal basis for which to receive data from the European Union, and therefore wide open to GDPR enforcement action.
"Brexit adds additional complexity," explains Bridget Treacy, partner and lead of the UK Privacy and Cybersecurity Practice at Hunton Andrews Kurth. "Once the UK leaves the EU, the UK will be like any other non-EU country in respect of data transfers and EU organisations will need a data transfer mechanism to continue to transfer personal data to the UK."
"In the absence of any period of grace, adopting a 'wait and see' approach during the period between the judgment and the European Commission's decision on new sets of Standard Contractual Clauses, risks a fine of 20,000,000 or 4% of the global annual turnover," she adds. "Clearly this not a practical solution. At a minimum, organisations should ensure they have identified potentially affected data flows, and start to consider whether any of the admittedly limited alternative transfer mechanisms may provide a solution to enable any or all of their data flows to continue."