Companies hope to avoid ‘catastrophic’ EU data-transfer ruling

An imminent privacy ruling has the potential to cause chaos for companies which transfer data out of the EU.

Legal experts are confident that a “worst-case” judgement will not be reached, but still warn of far-reaching implications.

It involves a case against Facebook by a privacy advocate who objected to his information being sent to the United States.

Thousands of companies rely on the existing measures, which are at risk.

The case before the European Court of Justice (ECJ) is complex, but hinges in part on the concern that US law requires Facebook to hand over personal data to authorities such as the National Security Agency or FBI.

Max Schrems, an Austrian national, lodged a case in 2013 after the Edward Snowden leaks revealed the extent of US surveillance.

As a result, the ECJ overturned the long-standing “Safe Harbour” arrangement in 2015.

In the aftermath, the EU and US came up with alternatives, which Mr Schrems challenged again, and this is now before the European Court of Justice.

“The concern has always been: when data leaves Europe, what’s happening to it? It may not have equivalent rights, and individuals may not have equivalent protection,” explained Jonathan Kewley, co-head of Technology at law firm Clifford Chance.

• Facebook quizzed in court on data transfers
• Google and Facebook face GDPR complaints

Most very large firms use what are called SCCs – pre-written non-negotiable contracts drawn up by Europe, which legally commit companies to upholding certain standards.

An opinion written by an advocate-general written in December recommended that SCCs remain, despite some concerns. However, the court is not bound to follow that recommendation – and could still declare them invalid.

Mr Kewley said that was “unlikely”, but if it did happen, it would be “pretty catastrophic”.

“It would be an extreme and unwelcome decision… and I’m not just talking about technology companies. This is about every business.”

This would affect most countries outside the EU. It could, for example, affect a firm that wants to send human resources or payroll data to a head office outside the EU, or one which wants to store personal records in cloud storage located in the US.

It would not affect strictly-necessary data transfers – for example, emailing a hotel abroad to book a room, or visiting a website based in China.

Mr Kewley said a “much more likely scenario” is that SCCs are policed more closely in future, or considered on a case-by-case basis.

Any decision is unlikely to affect the UK, even after the Brexit transition period ends at the end of this year.

European GDPR (general data protection regulation) rules have been adopted into UK law, and it is widely expected – although not certain – that a so-called “adequacy decision” will be granted, effectively saying that the UK’s privacy rules are up to EU standards.

That could change in future if the UK changes its laws to deviate from the current standards.