The European Union’s justice chief played down warnings that the wheels of commerce could grind to a halt after a landmark EU court ruling this week on trans-Atlantic data transfers.
The European Union has done its homework to prevent a repeat of the turmoil of five years ago when the bloc’s top court threw out a data-transfer process that thousands of companies relied on to ship commercial data to and from the United States, Justice Commissioner Didier Reynders said in an interview.
"There’s a huge difference between 2015 and now,” Reynders said ahead of July 16’s decision at the EU Court of Justice on the validity of the bloc’s two most important data-transfer mechanisms. "We are prepared.”
The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the US National Security Agency. Austrian privacy activist Max Schrems has been challenging Facebook Inc in the Irish courts – where the social media company has its European base – arguing that EU citizens’ data is at risk the moment it gets transferred to the United States.
This week’s ruling by the Luxembourg-based court could go many ways. While an adviser to the tribunal gave a relatively positive assessment of the status quo late last year, judges are free to take a tougher stance.
The court could go as far as banning the standard contractual clauses that many businesses rely on to ship data legally. Another possibility is that it outlaws the EU-US Privacy Shield, the trans-Atlantic data transfer pact that companies can adhere to when they shunt personal information. This was adopted in 2016 to replace the previous accord that was torpedoed in the EU court by Schrems.
The ruling is part of two key decisions this week before EU court judges sign off for the summer. The EU General Court, the bloc’s lower tribunal, on July 15 will decide on Apple Inc’s and Ireland’s appeals of the European Union’s record €13bil (RM63.14bil) Irish back-tax bill for the iPhone maker.
What’s changed since the EU court’s surprise decision on data transfers in 2015 is that the bloc has since passed one of the strictest data protection laws, the General Data Protection Regulation. This gives watchdogs unprecedented powers, raising potential fines for companies to as much as 4% of global annual sales. The Privacy Shield is also subjected to annual EU-US reviews.
"We are working on updating the existing standard contractual clauses to align them” with requirements under the GDPR, Reynders said. "We will see if all the different amendments we have prepared are sufficient to answer the court, or if it’s needed, to do something more.”
"We are ready to launch the adoption procedure as soon as possible,” maybe in August or, at the latest, in September, he said.
Reynders has been in regular contact with US counterparts since a meeting with Attorney General William Barr in December to discuss data issues and the European Union has seen a change in recent years.
"At the beginning the question was: ‘why are you doing that?’” and "now the question is more: ‘how could you effectively regulate privacy?’” Reynders said. The United States is aware that "full respect will be needed of the European court’s decision” and it may require "some steps on both sides”.
Data flows are critical to the functioning of economies, according to industry groups and officials on both sides of the Atlantic.
Some 70% of the thousands of companies that are using the Privacy Shield are small and medium-sized companies. The only alternative for them if this tool gets struck down, would be to switch to SCCs, which are more expensive and administratively complicated.
The long list of participants in the case also includes the US government, which is rare in the EU courts.
Privacy activist Schrems this time isn’t questioning the validity of the transfer clauses, but mainly takes issue with how regulators protect EU citizens’ data. It’s a "systemic” problem, he told EU judges in a court hearing.
"There’s a huge amount at stake,” Helen Dixon, the Irish data protection commissioner, told a conference on July 14. The ruling will "provide a definitive reference point against which the challenges presented by EU-US data transfers can be addressed into the future, bringing certainty to bear in an area that has been beset by uncertainty.”
The case is: C-311/18, Facebook Ireland and Schrems. – Bloomberg
Did you find this article insightful?