We live in an increasingly technological age where real power is driven by data. Every day more data is created about each of us and stored away, whether that is data stored by our employer, a bank, scorecard provider or social media site. We have seen the importance of data and the way it can be used in the Cambridge Analytica debate around the use of data in political elections.
The technological revolution combined with the growing importance and use of data prompted the EU to issue a new Data Directive (“GDPR”) which resulted in the UK in the Data Protection Act 2018. Businesses within the EU are able to transfer data freely between countries. However, many businesses in the UK and the EU are part of wider global enterprises, particularly the US.
Historically, data could be transferred to the US because of the Safe Harbour arrangements which had been agreed as a result of Schrems I (litigation involving an Austrian national and Facebook) Safe Harbour was struck down by the ECJ. The challenge was that the US authorities have the power to access all forms of data upon request, something not possible in the EU. Urgent negotiations had to take place between the US and the EU to agree new adequacy arrangements resulting in Privacy Shield.
Having won round one Max Schrems challenged Facebook again over its transfer of data from its EU headquarters in Ireland to the US.
The ECJ looked at the issue of data transfer again. It found the US wanting and struck down Privacy Shield, largely for the same reason, the ability of governmental organisations to access private data.
The result of this decision is that at present all transfers of data to the US relying upon Privacy Shield are in breach of the Data Protection Act and businesses relying on Privacy Shield need to take urgent action to be compliant.
Transfers of data to third countries outside the EU, other than the US rely either on Binding Corporate Rules or Standard Contract Clauses (SCCs). The ECJ did not comment on the status, although they were part of Max Schrems challenge. However any reliance on SCCs is likely to come under significant scrutiny.
When Safe Harbour fell the ICO and other EU data authorities provided time for business to move to an alternative arrangement, coupled with the lack of enforcement action, to make the transition.
Given comments already made, it seems likely that there are moves afoot to amend Privacy Shield to take account of the ECJ’s comments.
Businesses considering moving to SCCs will have to consider very carefully the ability for third parties to access personal data and having a written policy in place to assess adequacy whenever data is to be transferred to a third country.
For help and support about data protection and data transfer issues for your organisation, please contact Barry Stanton [email protected] or via our website.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.