European court strikes-down EU/US electronic data transfer agreement

© Flickr/cc-licence/Johann

© Flickr/cc-licence/Johann

  • Follows lawsuit to stop Facebook, Google etc. from transferring private European data to US
  • Europe's privacy laws are much stronger than in America
  • Data transferred to US routinely surveilled and processed by government agencies
  • Post-Brexit UK likely to be "piggy-in-the middle" of a game of transAtlantic hardball

The European Court of Justice (ECJ), sitting in Luxembourg, has put a cat amongst the transAtlantic pigeons by striking down "Privacy Shield", the 2016 agreement that permits the (for some, rather too-easy) movement of electronic data between the EU and the US. The personal, private data of all citizens of the EU is guaranteed by law. It is enshrined in the Charter of Fundamental Rights of the European Union and that elemental protection is further bolstered by the 2018 General Data Protection Regulation (GDPR).

The ECJ ruling says Privacy Shield does not meet with EU privacy rights and regulations and is very much a landmark legal victory for those campaigning to stop companies such as Facebook and Google from transferring personal private data to countries whose data protection laws are deemed to be less stringent and leaning rather more towards state surveillance than in Europe. The US is deemed to be one such country. Others are China, India and Russia.

It has taken seven years for the case to wend its way through the European judicial system. Back in 2013 the US whistleblower, Edward Snowden, revealed that US government surveillance systems routinely scoop-up and keep the bulk content of electronic communications in transfer not only between private individuals but also private businesses. Since then there have been dark mutterings about US industrial espionage against European enterprises and, amongst the communications likely to be affected by the ECJ ruling are business and private emails, customer records, financial records, human resources records, marketing databases and postings on social media. In other words, just about everything.

In essence, the ECJ ruling (all 63 pages of it) confirms that overarching EU law in general, and GDPR in particular, applies when businesses transfer data outside the EU and also bears on when such data is "processed" by third-party governments for national security and defence purposes. It says that EU citizens are entitled to, and must be afforded the same levels of, "essentially equivalent protection" for their data when it is transferred to other countries, as they are at home under EU law.

The Court has ruled that multi-companies (Facebook, Google and others of their ilk as well as up to half a million smaller businesses) have a legal responsibility to take full cognisance of, and responsibility for, ensuring their data transfer systems and procedures take into account the legislative regimens of the countries outside of the EU. It is applicable to companies receiving or transferring data from within the EU and must take account of the access that governments, government agencies, public authorities and other bodies have to data on European citizens.

Regardless of bluster the reality is that little will change

The ruling does not completely negate all data transfers. It continues to validate another extant legal mechanism that may continue to be used, subject to some beefed-up clauses and caveats. These are "Standard Contractual Clauses" (SCCs) that permit companies in Europe legally to share data with the US and other nations subject to the proviso that the transfer is in accordance with European legislation. Currently, SCCs are routinely used where data transfer is effected between the EU and 180 listed countries including Australia, Brazil, Canada, Mexico, New Zealand, Singapore and South Korea.

Under the requirements of the SCC, data transfers must also take into account the legal systems of the countries receiving the data and any and all access that governments, government agencies and public authorities have to the data of EU citizens. What's more, the receiving company or organisation must tell the data exporter if there is any impediment or inability to comply with the SCC. Most importantly, the exporting company must not send any data transfer if EU privacy legislation would be breached.

Policing of the SCC system would be the responsibility of Data Protection Regulators - so if history is anything to go by, and it usually is, it will be a time-consuming bureaucratic exercise in bolting the stable door, after the horse has cantered to the Derby, the race and been put out to stud. After all, we are talking about a physical electronic process that takes a matter of milliseconds to transfer massive tranches of data. Data Protection Regulators don't sound like much of a deterrent against that, do they?

The reality is that there is little immediate likelihood of a sudden cessation or even a diminution in the amounts of data moving from the EU to the US, not least because, even as the ECJ was considering its long-awaited ruling, apparatchiks elsewhere in the byzantine corridors that house the cogs, cranks and escapements of the hidden realpolitik of the European Commission, were letting it be known, sotto voce, that plans are in place to ensure there will be no interruption to transAtlantic commerce. After all, one hand cannot wash itself. 

Meanwhile, multinational corporations are calling for a lengthy period of time during which ECJ judgement would not be implemented while officials from the EU and the US negotiate a new data transfer agreement - another Privacy Shield where the "privacy" part might actually have some real meaning, but probably won't.

Didier Reynders, the EU's Justice Commissioner commented, 'The judgment is another steppingstone in our commitment to ensuring that personal data is fully protected in the EU and its transfers outside of the EU " He added, "I will reach out to my US counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism." The man is obviously a born optimist.

Meanwhile, US Secretary of Commerce, Wilbur Ross, says he is "deeply disappointed" but will work with the EU to "limit the negative consequences to the US$7.1 trillion trans-Atlantic economic relationship that is so vital to our respective citizens, companies and governments."

It sounds all very diplomatic and positive but we are living in a febrile age and the ECJ ruling highlights the ongoing friction between the EU and the US where European privacy rights and US surveillance legislation is concerned at a time the subject could become prime political fodder in the run up to the 2020 US presidential election.

The US authorities claim that surveillance legislation is "narrowly focused" and provides "sufficient" data protection without actually saying why they are sufficient. Two things are certain: the EU's GDPR is far more stringent than US "equivalents", and the US is't going to change its data and surveillance laws to accommodate the EU - or anywhere else for that matter.

The net result of the judgement is that some companies (probably Facebook, whose questionable practices occasioned the legal suit that eventually resulted in the ECJ ruling) will, at some time in the indeterminate future, localise aspects of the European data they harvest and keep them on servers sited within the borders of the EU.

The UK? Out in the Channel all on its lonesome

And where does this leave the UK? Post-Brexit we seem destined to become the "piggy in the middle" of a transAtlantic game of hardball between two huge trading blocks. As things stand, data transfers from Britain to the EU remain unaffected until 2024. After that, when we have fully "taken back control", who knows what will happen? It's anyone's guess.

The UK says it will retain parity with GDPR when the transition out of the EU is completed on December 21 this year, but in the medium- to long-term it might not. If it doesn't, the EU might decide that the UK's privacy laws are inadequate and do not meet the privacy requirements of GDPR. That, taken with Britain's own surveillance laws and its obligations under the "Five Eyes" intelligence programme could cause problems with data transfers from and to the EU - which will continue to be our biggest trading partner despite Brexit.

In that case it will be a choice between adhering to the excellent privacy standards enshrined in the EU's GDPR or reducing standards of privacy protection to US levels. Perhaps we could print the trimmed-down new British standards on newspaper and use it to wrap the cheap, glow-in-the-dark chlorine-washed chicken that will flood in from the US as we reduce our food standard regulations to meet the terms of a much-vaunted "special" trade deal with the US.

It'll be like the tradition of wrapping our revered fish and chips in yesterday's news but, with doctored, chicken, pork and beef replacing the cod and haddock, and so rather more likely to result in a bout of the bad beer quickstep. Now I know what they mean by "a race to the bottom.​"

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.