[Editor’s Note: Data Privacy is an evolving field of study. As predicted, lack of attention to irresponsible collection, management, and use of personal data by corporate entities has garnered the attention of regulators. In other words, what the private sector fails to adequately police and address, the regulatory agencies will gladly step in attempt to bring organization to chaos.
As Richard Dutton writes in this article, the European Court of Justice (ECJ) issued a ruling this month that invalidated a previously agreed standard governing the transfer of personal data from the EU to US, known as Privacy Shield.
Because the regulatory aspects of data privacy are so complex, we welcome the upacking of these court rulings from Richard Dutton who has a dedicated business focus to guide executives through the minefield of legislation that will change the way we market to customers in the future. Many thanks to Richard for his article.]
By: Richard Dutton FIDM, CLMP
The European Court of Justice ruling on Thursday invalidates the EU-US Privacy Shield. The new ruling has triggered a storm of debate which is likely to rage for some time. Reactions have ranged from media reports of “data transfer chaos and confusion” to lawyers calling for calm and to “carry on”.
The “carry on” line is no doubt linked to the survival of Standard Contractual Clauses (SCC) under the ruling although the Court has ensured that they will come under increased scrutiny. For some, however, even SCC’s won’t be sufficient to transfer and process EU personal data lawfully in the US.
European privacy expert Alexander Hanff believes “the ECJ comments on Executive Order (EO) 12333 and the Foreign Intelligence Surveillance Act (FISA) §702 essentially pave the way to outlaw any US company from processing the personal data of EU data subjects”. Hanff points to the most important line in the Judgment: "Furthermore, according to the findings of the referring court, the NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable.” As long as these issues remain, Hanff contends “there is literally no mechanism (now or in the future) which can meet the requirements of EU law”.
Leading data lawyer Will Richmond-Coggan at Freeths LLP points out, however, that “there are a number of circumstances under Article 49 GDPR which are unaffected, including where the informed consent of the data subject has been obtained”. Richmond-Coggan explains that “organisations have been dealing with necessary exports of data to genuinely problematic countries using consent (e.g. where there is no independent judiciary to allow enforcement of contractual obligations, for example) up until now.”
It is unlikely that Article 49 GDPR will produce the calm some have been calling for. There is no appeal to the ECJ ruling and a solution needs to be found to maintain the $7 trillion of international trade flowing between the USA and Europe. Over 5,000 US companies who have invested in complying with Privacy Shield will understandably be asking “How is it that the European Commission (EC) has been advising us for the last 3 years that Privacy Shield was adequate and now it’s not?” Their US lawyers are likely to be far more aggressive in their questioning of the EC.
While uncertainty prevails in the aftermath of the ruling, it will be important for organisations to plan some practical next steps. Amidst the doom and gloom, Lara Liss, Global CPO of Walgreen Boots Alliance, speaking on an expert panel at a OneTrust webinar on the afternoon of the ruling, suggested these 5 steps:
- Engage the right experts (legal and others)
- Assess and consult within the business
- Take recommendations to the leadership team
- Document the basis of your decision
- Develop an action plan based on the risk tolerance of the business
However, that same panel of experts expressed their concern at an inevitable increase in litigation — including from individual class actions. When asked about Brexit, William Long of lawyers Sibley Austin, was equally clear that “the ruling certainly upped the stakes” — especially for the UK to achieve “adequacy” prior to the end of the transition period on December 31st, 2020. Game on.
If want to read additional material on this topic, please check out this article from Daniel Solove and Paul Schwartz.
