The European Court of Justice (ECJ) ruling on Thursday 16 July 2020 to invalidate the US Privacy Shield has triggered a storm of debate which is likely to rage for some time. Reactions have ranged from media reports of “data transfer chaos and confusion” to lawyers calling for calm and to “carry on”.
The “carry on” line is no doubt linked to the survival of Standard Contractual Clauses (SCC) under the ruling although the Court has ensured that they will come under increased scrutiny. For some, however, even SCC’s won’t be sufficient to transfer and process EU personal data lawfully in the US.
European privacy expert Alexander Hanff believes “the ECJ comments on Executive Order (EO) 12333 and the Foreign Intelligence Surveillance Act (FISA) §702 essentially pave the way to outlaw any US company from processing the personal data of EU data subjects”. Hanff points to the most important line in the Judgement: “Furthermore, according to the findings of the referring court, the NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable.” As long as these issues remain, Hanff contends “there is literally no mechanism (now or in the future) which can meet the requirements of EU law”.
Leading data lawyer Will Richmond-Coggan at Freeths LLP points out, however, that “there are a number of circumstances under Article 49 GDPR which are unaffected, including where the informed consent of the data subject has been obtained”. Richmond-Coggan explains that “organisations have been dealing with necessary exports of data to genuinely problematic countries using consent (e.g. where there is no independent judiciary to allow enforcement of contractual obligations, for example) up until now.”
It is unlikely that Article 49 GDPR will produce the calm some have been calling for. There is no appeal to the ECJ ruling and a solution needs to be found to maintain the $7 trillion of international trade flowing between the USA and Europe. Over 5,000 US companies who have invested in complying with Privacy Shield will understandably be asking “How is it that the European Commission (EC) has been advising us for the last 3 years that Privacy Shield was adequate and now it’s not?” Their US lawyers are likely to be far more aggressive in their submissions to the EC.
While uncertainty prevails in the aftermath of the ruling, it will be important for organisations to plan some practical next steps. Amidst the doom and gloom, Lara Liss, Global CPO of Walgreen Boots Alliance, speaking on an expert panel at a OneTrust webinar on the afternoon of the ruling, suggested these 5 steps:
- Engage the right experts (legal and others)
- Assess and consult within the business
- Take recommendations to the leadership team
- Document the basis of your decision
- Develop an action plan based on the risk tolerance of the business
However, that same panel of experts expressed their concern at an inevitable increase in litigation – including from individual class actions. When asked about Brexit, William Long, of lawyers Sibley Austin, was equally clear that “the ruling certainly upped the stakes” – especially for the UK to achieve “adequacy” prior to the end of the transition period on 31 December 2020. Game on.