Europeans could be in for an unfortunate surprise as their data transfers to the world begin to look like a thing of the past.
Globalisation and digitisation have made Europe a leading global exporter of digitally delivered services. European firms, ranging from energy companies to truck manufacturers, rely on global information exchanges to monitor machine performance, enhance security, manage global value chains, and more.
Europe’s legal framework for data transfers, however, was written in the early 1990s, before the Internet revolution and the rise of data global flows. In consequence, the EU has since the 1990s had restrictions in place for the transfer of personal data, which is only allowed under a few legal exceptions.
One of the legal tools for data transfers was the EU-U.S. Safe Harbour framework. This mechanism enabled thousands of European and U.S. companies to transfer commercial data, such as payroll data, from the EU to the U.S. The EU and U.S. negotiators were on track to finalise an updated and strengthened framework when the Court of Justice of the EU (CJEU) struck down the old Safe Harbour in October 2015.
Since then, EU and U.S. negotiators have significantly revised the text (re-named “Privacy Shield”) and are working to finalize a far more robust set of obligations on companies that sign up to the framework. In a few weeks a group of EU Member States (the “Article 31 Committee”) is slated to vote on Privacy Shield, which will clear the way for it to be officially adopted.
Back when the CJEU invalidated Safe Harbour, I warned that other EU legal tools could be questioned and also invalidated by the EU’s highest court. This dangerous game of dominoes is now materialising.
In turn, the Irish High Court may refer the case to the CJEU. While the case names Facebook, the IDPC makes clear that she is questioning the validity of SCCs generally, not with respect to any one company’s practices.
The Irish Data Protection Commissioner focuses on a relatively narrow legal question: Are SCCs valid under EU law if EU citizens aren’t able to avail themselves of an adequate legal remedy when their data is transferred to the U.S. and may be accessed for national security purposes? In her draft decision, the IDPC examines remedies available to EU citizens under existing U.S. law, but interestingly doesn’t evaluate the new Ombudsperson mechanism created as part of Privacy Shield. The Ombudsperson mechanism was designed to provide EU citizens the opportunity to submit complaints and inquiries regarding U.S. intelligence programs to a new independent office within the U.S. Department of State. Importantly, the Ombudsperson mechanism is available to all EU citizens, regardless of what legal methods were used to transfer their data.
The IDPC case now more decisively ties the fate of the Privacy Shield framework to that of SCCs: If Privacy Shield fails to win the “yes” vote by EU Member States, the Ombudsperson mechanism it includes will also fail—which means the Irish High Court and CJEU would not be able to evaluate this strong new legal remedy when they take up the IDPC’s referral. The fate of SCCs will hang in the balance.
European companies should sit up and take notice, as thousands of them rely on SCCs for their data transfers to third countries with varying commitments to privacy protections and the rule of law. If U.S. legal remedies aren’t considered sufficient to save transfers under SCCs, how likely would it be that European Data Protection Authorities or the courts would uphold transfers to countries like Russia, India or China?
While the American legal system is somewhat different from the EU’s, there is no question that it builds on democracy and rule of law. In fact, the U.S. has undertaken major surveillance reform post-Snowden and extended new redress rights to Europeans. It is perhaps the most transparent country about its legal procedures. One could ask whether EU Member States themselves would pass the EU’s own test.
So a possible invalidation of SCCs could prohibit thousands of European companies to transfer data to the world and let Europe drift even closer to data isolation. A halt to EU data transfers to the world could lead to EU GDP losses of -1,1% and an overall drop of domestic investments of -3,9%.
Hopefully, this chain reaction scenario will not play out this way. As mentioned above, on top of recent years’ U.S. surveillance reform, important new safeguards for transatlantic data transfers are about to be adopted as part of the new EU-U.S. Privacy Shield. The safeguards in Privacy Shield apply to other transatlantic data mechanisms including SCCs, such as the new legal remedy of the independent Ombudsperson, who will handle and solve complaints or enquiries raised by EU individuals. European data protection authorities have called the many new safeguards in Privacy Shield “significant improvements.”
It is paramount that legal certainty is reinstalled now. There is no future for Europe and its companies isolated from the world and data is at the very heart of this global connection. It is thus imperative that EU Member States now approve the Privacy Shield framework and finalise the negotiating process that has been going on for almost three years now. This would immediately provide certainty to European and international companies and consumers.
In the long term, Europe should consider whether its 20th century localised data protection framework is well suited in the 21st century interconnected digital world.
 Technically, the CJEU didn’t invalidate Safe Harbour but rather the European Commission’s adequacy decision given the European Commission’s failure to properly determine “essential equivalence” between the third country data protection scheme and the EU’s.
 Standard contractual clauses are a legal instrument developed by data protection authorities and the European Commission. They ensure that even if the data is transferred outside of the EU, the level of protection remains the same.