The Schrems II judgement of the Court of Justice of the European Union (CJEU) makes the transfer of personal data to the US from the EU close to legally impossible. The Court has struck down Privacy Shield as incapable of providing sufficient protection for the personal data of EU citizens transferred to the US and has severely constrained the use of Standard Contractual Clauses (SCCs) as an alternative way of doing so.
The Court’s judgement is rooted in the belief that there is a significant disconnect between the EU’s emphasis on data privacy as a fundamental right, and the US’s stress on the national security imperative for its intelligence agencies to be able to access data transferred to the US. (See here for a useful summary of the background to the case).
The bottom line takeaway from the CJEU’s decision is that, no matter what procedure is used, it is illegal to transfer the personal data of EU citizens to third countries if that data cannot be protected to the standards that the EU demands when it arrives in that country.
The CJEU, in line with the Charter of Fundamental Rights and the wording of the GDPR, has prioritised data privacy over economic considerations. Whether an appropriate balance has been struck is for European politicians to decide.
For my part, I have my doubts. If politics is understood as the way societies makes decisions about the type of society they want to be; then courts are political, and their decisions are not beyond question or review. If changes to constitutions or fundamental laws are required to restore balance, then that debate needs to be had.
It also needs to be kept in mind when thinking about all this that once your data is online no law is going to be able to totally protect it. There is no computer or system that is beyond hacking.
But, for the moment, we are where we are and the CJEU’s ruling in Schemes II carries implications for Brexit.
For what is true of data transfers to the US from the EU will be even more true of data transfers to the UK after January 1 next when the UK leaves the EU’s single market and customs union. For every bit of business between the UK and the EU involves data transfers of some sort.
The UK has a “security surveillance state” ever bit as extensive as that of the US, working within the overarching framework of the Investigatory Powers Act, commonly known as the “Snoopers Charter”.
While a member of the EU the UK got a “get out of jail” card over the Act as the GDPR has a security exemption for EU members states, an exemption that is not extended to non-members. Is it hypocrisy to have one set of rules for EU members states and another set for non-members? The EU would say no because, ultimately, any transgression within the EU can be complained of to the CJEU. That is not the case for non-members.
Whether or not the EU should block the export of personal data to a democratic country because the security services of that country may hoover up that data is something that may now need to be reconsidered. Spies spy, and if spies want data on a particular individual then they will go looking for it without too much concern for borders.
If blocking the export of personal data to the US or the UK because of concerns over the activities of the security services in those countries results in severe damage to the digital economy and the millions of jobs at stake, then Europeans need to be aware that this is a trade-off that they have to make. To borrow a phrase from the Brexit debate, Europeans cannot have their data cake and eat it. Restrictions on data flows to the US will result in job losses. There is no getting around this fact.
To put it very bluntly, the striking down of Privacy Shield and the severe limitations on SCCs will have significant, adverse implications for the EU/US digital economy.
But the implications for EU/UK digital trade could be even worse. And it could hamper the trade in goods as well. Lest there be any misunderstanding, all of the consequences that flow from Brexit are entirely the responsibility of the UK. It was not asked to leave the EU, much less expelled. Further, the post-Brexit relationship that the UK wants with the EU is also entirely the responsibility of the UK.
As and from January 1 next the UK will put in place an economic and migratory border between itself and the European Union. That border will also be a digital border, as the UK will be withdrawing from the EU’s “single data space”, governed by the GDPR. Borders mean that you need permission to cross them. That includes digital borders.
Goods crossing from the UK to the EU and vice versa will be subject to new checks and controls. So also, will the drivers of the 15,000+ trucks that cross the Channel every day. The last time there was a customs border between the UK and mainland Europe was in 1972. In those days, there were no computers at border posts. Permission to cross required the right paperwork on the day, including passports, driving licences and insurance cards. Trucks and drivers were stopped and checked.
The EU’s custom union and single market did away with all that. People, goods, and trucks cross friction-free between the UK and mainland Europe. All relevant controls are digital.
Now, Brexit is bringing us back to the bad old days. As Davis Smith writes in the Sunday Times
For trade in goods there will be customs controls, tariff controls, VAT and excise payments, and checks on conformity with regulatory standards. For trade in services, UK firms will have to demonstrate compliance with service standards, there will be a loss of current rail, air and road transport licences, and an end to recognition of UK professional qualifications. The settlement for financial services is up in the air.
UK travellers will need a visa to stay in the EU for 90 days or more in any 180-day period, will lose the right to work in the EU, and UK driving licences will no longer be recognised. Use of the EU pet passport will end, as will the guarantee of no roaming charges for mobiles.
After the UK leaves the EU’s single market and customs union on January 1 next, these new controls will come into place, irrespective of whether there is a deal between the UK and the EU or not. The UK has decided to end freedom of movement between it and the EU. People will need permission to cross the border, going both ways. That includes truck drivers.
That means “exporting” the personal data of truck drivers from the EU to the UK. If the UK does not have a data adequacy decision could the exporting of such data be seen as contrary to the GDPR? Or could it be regarded as data essential to the performance of a contract and therefore a legitimate reason to export?
These questions do not answer themselves. We have never been here before. It is over forty years since there was a customs border between the UK and the EU. There has never been a digital border because it was while the UK was a member of the EU that the digital world was born. The whole raison d’etre of the original Data Protection Directive, first proposed in 1992, was to facilitate data transfers within the newly-minted Single Market as new computer and communications technologies began to make an impact.
The deep, digital integration between the UK and the EU does not just relate to business but touches on all aspects of our lives.
Who now remembers the days when to pay with a credit card the merchant took out a swipe machine and you signed a bit of paper there and then? If the merchant wanted to check if you had any actual credit left on your card, he or she had to call the card company. How often did you hope they wouldn’t make that call! Now, it is all done digitally and if you have no credit on your card you are out of luck.
Or to go on holidays abroad you had to go to the bank weeks in advance and order either foreign currency or travellers’ cheques?
Now, you pay with your credit card on-line or use your bank card in an ATM when abroad. All of these things involve the transfer of personal data and all of these things require agreements between governments to allow them to happen. An ecosystem of invisible agreements that no one is aware of exists. Until things go wrong.
It seems to us that when it comes to Brexit the dilemma is this. The UK’s Investigatory Powers Act 2016 has been widely criticised for overreach. For a useful overview see here.
At the same time, the UK has incorporated the GDPR into its domestic legislation and, for the immediate future in any event, will continue to use the GDPR as its data protection law, even if Boris Johnson has said that he wants the UK to be able to deviate from it in the future.
Unlike the US, the UK also has a robust data protection authority, the Information Commissioner’s Office (ICO), which describes itself as “The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”
The ICO has an excellent reputation among its colleagues in the European data protection community.
Of course, even if the UK were to be given a data adequacy decision, all that would mean is that data can be safely transferred to the UK. No matter what, it will still not be possible to base EU data controllers in the UK, not will the UK be part of the EU data protection decision making processes.
Following the logic of the Schrems II judgement the EU Commission may well come to the decision that because of the Investigatory Powers Act it cannot give the UK a data adequacy decision. Concerns could be further compounded by agreements between the UK and the US over the sharing of intelligence data.
There will also be concerns that data transferred to the UK could then be transferred to the US, a “data backdoor” if you will. The position has been neatly summarised by Oliver Patel in a piece published just after the Schrems II judgement:
The UK wants unrestricted data transfers with both the EU and the US. The former would ideally be achieved via an EU adequacy decision, whereby the European Commission formally recognises the UK as a safe haven for data transfers. The latter was going to be achieved by the UK and US essentially copying the EU-US Privacy Shield, which had been “rolled over” in UK law before Brexit. Today’s invalidation undermines both plans.
The EU will be concerned that if companies transfer EU citizens’ data to the UK, the UK might in turn transfer that data to the US, under the unlawful Privacy Shield framework. Put simply, the UK may not be granted adequacy if it is seen as a backdoor to unprotected US data transfers. The UK will have to decide what is more important: data flows with the EU or the US?
As we said above, the problem has been created by the UK’s decision to leave the EU single market and the “single data space”. And if, as Patel says, the UK “will have to decide what is more important: data flows with the EU or the US?”, then the EU will also have to decide to what extent it wants to prioritise data privacy and protection over economic considerations.
Does anyone know with any degree of certainty how many jobs in Europe are dependent of EU/UK data flows? For example, how many tourist jobs in Spain depend on the passing back and forth of data between hotels and UK travel and tour operators? Given the devastation that Covid-19 has already wrecked do they need another hammer blow, this time self-inflicted?
So, how do we solve the issue?
Article 23 of the GDPR states
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard. (Bold highlights by us).
Further details of what this means then follow. here
Now, why not make this exemption available to all democratic societies and not just EU member states? Or are EU democracies morally superior to all other democracies? This is a proposition that would be hard to sustain given the somewhat loose relationship with democracy and the rule of law of some current eastern EU member states. Is there not a touch of “do as we say not what we do” in the EU’s position?
How could one decide if a country has a “democratic society”? Use the EU’s own Copenhagen Criteria.
In essence, the criteria are:
- political criteria: stability of institutions guaranteeing democracy, the rule of law, human rights and respect for and protection of minorities;
- economic criteria: a functioning market economy and the capacity to cope with competition and market forces;
- administrative and institutional capacity to effectively implement the acquis and ability to take on the obligations of membership.
The third bullet point is not relevant. But by any measure the other two could be used in deciding on the “intelligence exemption”, even if the current administration in the US strains things somewhat.
Take national intelligence gathering by democratic governments out of the picture. Let the GDPR focus on “economic protection”, ensuring that personal data is only used and processed by economic operators with the full consent of the data subject, the “owner” of the data.
Now, as anyone who reads these Briefings knows I have always regarded Brexit as a negative sum game, something that will damage both sides. But I see no reason to aggravate the damage by refusing the UK a data adequacy decision on the grounds of Schrems II when the thesis underlying Schrems II is unsustainable. This is not the fault of the Court. They interpreted the law as they found it. It is the politicians who made the law in the first place that are responsible.
I should also make it clear that I am no fan of the “surveillance state” but that is the world as we find it, in the US, the UK, France and the rest. To demand, as some do, the dismantlement of the surveillance state as a precondition for the free transfer of data is to ask the impossible. To block the free flow of data because of this demand will do irreparable economic damage in the meantime.
When it comes to jobs do we really want to pile a digital disaster on top of the Covid19 catastrophe?
Politicians now need to remake the law.