Schrems déjà vu? Transfers of personal data once again in the regulatory spotlight
The validity of international transfer mechanisms which allow companies to transfer personal data outside of the EU, is once again the subject of consideration by… Read more
The validity of international transfer mechanisms which allow companies to transfer personal data outside of the EU, is once again the subject of consideration by the European Courts today. The complaint against Facebook’s trans-Atlantic data sharing practices originally raised in 2013, now comes before the European Court of Justice (“ECJ”) a second time as Facebook (the subject of the initial complaint) has exhausted its legal avenues to appeal or block the consideration.
Chief in issue, is whether the ability of data protection authorities to suspend or ban the transfer of personal data to companies potentially subject to mass surveillance by governmental authorities is sufficient to ensure the continued validity of the standard contractual clauses, and by implication the US Privacy Shield Framework. Such mechanisms form an essential part of the GDPR, allowing hundreds of thousands of companies to lawfully transfer personal data outside the EU. The derogations are interpreted narrowly so the standard contractual clauses are by far the most common and pragmatic method of enabling transfers of personal data outside the EEA in order to be compliant with GDPR.
The case originates from a complaint by well-known privacy advocate Maximillian Schrems, who has alleged deficiencies in the international transfer frameworks in a challenge to Facebook’s practice of sharing user personal data to the US. The initial complaint to the Irish Data Protection Commissioner and Irish High Court, focused on fears of mass surveillance, raising concerns relating to the ability of US authorities to force big tech companies to share user personal data with the American security services. Mr Schrems previously rose to prominence following a successful referral of his post-Snowden data privacy complaint, and the subsequent (2015) collapse of the then International Safe Harbor Privacy Principles (Safe Harbor).
Should Mr Schrems be successful in his action against Facebook, the ruling by the ECJ has the potential to disrupt the data sharing practices of hundreds of thousands of companies and potentially creating walled gardens within the internet. Although the case relates to transfers to the US under the standard contractual clauses, the fact that clauses apply generally to all international transfers has already caused serious concerns amongst companies and other interested parties (as reflected in the number of parties involved in the case). Remaining compliant with the GDPR if the ECJ decides in Schrems favour will be a time-consuming process. In the run up to GDPR, companies should have already assessed their data flows – it is now worth revisiting and identifying those processes, underlying infrastructure and areas of the business that are currently dependent on exporting personal data outside of the EEA and considering which systems are critical and if there are other data transfer mechanisms that may be suitable under the GDPR.