Christian Borggreen / Jun 2016
Digitisation and globalisation have made Europe a leading global exporter of digitally delivered services. European firms, ranging from energy companies to truck manufacturers, rely on global information exchanges to monitor machine performance, enhance security, manage global value chains, and more.
Europe’s legal framework for data transfers, however, was written in the early 1990s, before the Internet revolution and the rise of data global flows. In consequence, the EU has since the 1990s had restrictions in place for the transfer of personal data, which is only allowed under a few legal exceptions. These exceptions for data transfers now risk being invalidated in courts one by one.
The most high profile case was the Court of Justice of the EU’s (CJEU) invalidation of the EU-U.S. Safe Harbour framework in October 2015. This mechanism enabled thousands of European and U.S. companies to transfer commercial data, such as payroll data, from the EU to the U.S. The EU and U.S. negotiators were on track to finalise an updated and strengthened framework but were surprised by the ruling. Since then, EU and U.S. negotiators have significantly revised the text (re-named “Privacy Shield”) and are working to finalize a far more robust set of obligations on companies that sign up to the framework. EU Member States are expected to vote in favor of Privacy Shield, clearing the way for official adoption this Summer.
The CJEU’s invalidation however started a chain reaction where other EU legal tools could be challenged and risk invalidation.
The Irish Data Protection Commissioner (IDPC) is now requesting that the Irish High Court review the validity of another EU data transfer mechanisms, standard contractual clauses (SCCs). In turn, the Irish High Court may refer the case to the CJEU. While the case names Facebook, the IDPC makes clear that she is questioning the validity of SCCs generally, not with respect to any one company’s practices.
In her draft decision, the IDPC examines legal remedies available to EU citizens under existing U.S. law, but interestingly doesn’t evaluate the new Ombudsperson mechanism created as part of Privacy Shield. The Ombudsperson mechanism was designed to provide EU citizens the opportunity to submit complaints and inquiries regarding U.S. intelligence programs to a new independent office within the U.S. Department of State. Importantly, the Ombudsperson mechanism is available to all EU citizens, regardless of what legal methods were used to transfer their data.
The IDPC case now more decisively ties the fate of the Privacy Shield framework to that of SCCs: If Privacy Shield fails to win the “yes” vote by EU Member States, the Ombudsperson mechanism it includes will also fail—which means the Irish High Court, and possibly the CJEU, would not be able to evaluate this strong new legal remedy when they take up the IDPC’s referral. The fate of SCCs will hang in the balance.
European companies should sit up and take notice, as thousands of them rely on SCCs for their data transfers to third countries with varying commitments to privacy protections and the rule of law. If U.S. legal remedies aren’t considered sufficient to save transfers under SCCs, how likely would it be that European Data Protection Authorities or the courts would uphold transfers to countries like Russia, Brazil, India or China?
While the American legal system is somewhat different from the EU’s, there is no question that it builds on democracy and rule of law. In fact, the U.S. has undertaken major surveillance reform post-Snowden and extended new redress rights to Europeans. It is perhaps the most transparent country about its legal procedures. One could ask whether EU Member States themselves would pass the EU’s own test...
So a possible invalidation of SCCs could prohibit thousands of European companies to transfer data to the world and let Europe drift even closer to data isolation. A halt to EU data transfers to the world could lead to EU GDP losses of -1,1% and an overall drop of domestic investments of -3,9% according to the think tank ECIPE.
Hopefully, this chain reaction scenario will not play out this way. As mentioned above, on top of recent years’ U.S. surveillance reform, important new safeguards for transatlantic data transfers are about to be adopted as part of the new EU-U.S. Privacy Shield. The safeguards in Privacy Shield apply to other transatlantic data mechanisms including SCCs, such as the new legal remedy of the independent Ombudsperson, who will handle and solve complaints or enquiries raised by EU individuals. European data protection authorities have called the many new safeguards in Privacy Shield “significant improvements.”
It is paramount that legal certainty is reinstalled now. There is no future for Europe if its companies are digitally cut off from the world. It is imperative that the Privacy Shield framework is adopted without delay to provide certainty to European and international companies and consumers.
In the long term, Europe might want to consider whether its 20th century localised data protection framework is well suited in the 21st century interconnected digital world.