Adam Rose
Hello and welcome to the Mishcon Academy Digital Sessions, a series of online events, videos and podcasts looking at the biggest issues faced by businesses and individuals today. Today we’re looking at the judgement issued this morning by the European Court of Justice in what is known as the Schrems II case and my colleague Jon Baines and I, Adam Rose will be discussing the ins and outs of this judgement, what it means for businesses and what it means for you as people. Jon, do you want to just start off maybe by saying very shortly what the case was all about?
Jon Baines
Yes, thanks Adam and morning everyone. I think one thing I will say is a little caveat. This judgement came out only about an hour ago. These are very much my first impressions and yours also Adam, I think so, we will be looking more closely at the judgement and doing some deeper analysis. But yeah, this is the, possibly the culmination, maybe only a mid-point of various challenges, Court cases, looking at the validity and the legality of the transfers of personal data from the European Union or more correctly, the European Economic Area to countries outside. Specifically, it arises from complaints made by a chap called Max Schrems, who has had a long-running campaign looking at or challenging, the validity of the transfer of data by Facebook from the EU to the US and it’s in light of the concerns that were raised by the Edward Snowden revelations around the ability of the US authorities to access electronic data. So, what we have today is a judgement which in some ways dates back to 2013, looking at just how valid the legal mechanisms are for transferring that data.
Adam Rose
And I guess the starting point on this I guess is the European Union says, ‘You can transfer data freely within the European Union, but you mustn’t transfer it outside unless…’ and the ‘unless’ bit is really what’s caught, been caught in the headlights here.
Jon Baines
Yes. Yes. So, the ‘unless’ point is that the law provides for free movement of personal data within the European Union and that data can only be transferred outside the European Union if the third country in which the recipient is based, third country has an adequate level of protection for personal data. Now, there are a number of ways that that can be shown. The kind of over-arching, the best possible option is that the European Commission has said that the country, it’s made a decision and said the country offers an adequate level of protection. That’s actually only been done in a very limited number of cases.
Adam Rose
And typically those have been, those have been sort of like the small offshore jurisdictions, the Channel Islands, New Zealand, Canada, Uruguay, Israel but by in large we’ve got the 28 member states of the European Union which is sort of one space where data can be transferred and you and I will come on to… we’ve been going for about 3 minutes… we’ll come on to Brexit shortly. European Union, these sort of 10 other countries which are not the USA which is sort of the key to all of this and just to pick up I guess, there are binding corporate rules which aren’t addressed in this judgement but I guess we’ll have a look at briefly. Standard contractual clauses, which was a decision of the European Union that says, ‘if you sign up to these clauses you can transfer data’ and there’s a big ‘But’ now associated with this judgement. And finally, if the European Union has made a finding of adequacy that we’ve talked about so, the thing I guess to pick up on from the background to Schrems is Schrems’ complaint was data was being sent to America. He was concerned that the American Security Services could access that data and he brought his first case as you mentioned, in 2013 and that found after the Snowden revelations, that the Safe Harbour scheme didn’t stand up. European Union and America agreed the privacy shield and the real core of this case is saying that privacy shield is dead.
Jon Baines
That’s right and interestingly, we weren’t sure until this morning whether the Court would actually make a ruling on that. There were a number of questions referred to the Court and it would have been open to them not to have decided that. But it crucially and perhaps unsurprisingly, given the Court’s previous decision on the adequacy of the level of protection provided in the United States, the Court has said that the 2016 decision whereby US companies could effectively self-certify that they were adequate, they had an adequate level of protection, the Court has said that decision is invalid because it still remains the case that let’s call it the US surveillance regime, still allows the US authorities to access data effectively without the party’s control.
Adam Rose
And I think that, I think that really goes to the guts of this decision doesn’t it because the European Court has said, ‘You might self-certify or even you might be a perfectly adequate recipient of the data, but it’s the fact that the government authorities in the country of receipt of the data might be able to access that data, might be able to undermine the sort of probity of that data, is what’s really the real core of this judgement and I think that issue carries forward throughout all the other systems in place. You and I were speaking earlier the judgement came out 8.30, it’s not quite 10.00 o’clock yet and it’s a 60-odd page judgement so these are as you said, our initial views on the case. But it looks as if privacy shield which was meant to overcome the holes in Safe Harbour has definitely been killed off. Now, whether Europe and the US will come up with Privacy Shield 2 or Safe Harbour 3 or whatever they want to call it. But the model clauses, the standard contractual clauses, which was the thing that most businesses have actually relied on these sort of standard EU-approved contracts in place to transfer data from the European Union to processors in third countries the Court has said ‘Well, that might not work either’. They’ve said the clauses stack up and we support those clauses, they still work but going back to your point that the Court said, ‘If the country of receipt doesn’t provide adequate level of security for data when it receives it, then no model clauses, no standard contractual clauses correct that hole’ and therefore, I guess the level of due diligence that you need to carry out and we thought there was an issue around due diligence from the Advocate General’s opinion around Christmas time, I need to not only have… if I’m in the European Union and you’re Somewhere Else and the example we were giving each other when we were chatting before was Bolivia. If you’re in Bolivia as the recipient of the data, you can sign up to the model clauses and say, ‘Yes, I’m a pucker processor sitting in La Paz and that’s fine’ but if it turns out that actually you believe that the Bolivian authorities might be able to access this data, the judgement seems to say, you’re meant to a) hold your hand up and say, ‘But wait a minute Adam in the European Union, please don’t send me your data because I can’t guarantee its security because the Bolivian authorities might investigate it, might access it. Yes, use the model clauses, I’m okay in La Paz, but I don’t think you can send me data anymore’ and then I can’t send you data.
Jon Baines
Yeah and I think the other thing is, even if the parties decide that they can, I think this ruling is very clear that it’s going to be also necessary for the supervisory authorities which is in Ireland the Data Protection Commissioner, the Information Commissioner in the UK. It’s for the supervisory authority then to step in and say, ‘No. This, despite the fact that you between you, you as parties have said you’re entering into this… these model clauses, these standard contractual clauses, the country in which the recipient is based does not provide an adequate level of protection’.
Adam Rose
So there is I guess three things that we need to pick up on there. One is transfers of personal data to the US. The second thing is, is there any way that you can get around this? If Privacy Shield doesn’t work and standard contractual clauses don’t work to transfer data to the US, what about binding corporate rules which are probably the other mechanism. We’ll look at… so, US binding corporate rules and then Brexit, which we’ve got to finish on, I guess. So, the US it looks very hard to see how data can be transferred to the US because if US is inadequate for the purposes of Privacy Shield, it’s hard to see how it can be adequate for the purposes of model clauses.
Jon Baines
I think that has to be right and I think you and I were avidly watching the news and the social media reactions to the judgement. I think some of them were Privacy Shield is invalid but model clauses are fine. Well, yes but…
Adam Rose
It’s a ‘Yes if…’ isn’t it?
Jon Baines
Yeah. If the underlying regime in the recipient country and again I use the phrase ‘The US Surveillance Regime’ is felt not to be or held not to be adequate it’s very difficult to see if you can lay on top of it any transfer mechanism that’s not going to be vulnerable.
Adam Rose
And that’s going to be the same with binding corporate rules as well.
Jon Baines
I think so.
Adam Rose
So, binding corporate rules which are a system, a sort of network of agreements within organisations so that Adam Rose Ltd and Adam Rose SA of France and Adam Rose GMBH of Germany can all transfer data to Adam Rose Inc in the US and you’d set up these binding corporate rules within organisations so that networks of data transfers can take place. That’s got to be dead as well because I can’t guarantee the level of adequacy in binding corporate rules because I can’t in standard contractual clauses because the Court has said, ‘It doesn’t work for Privacy Shield?’
Jon Baines
I think so and I think Adam, maybe you know, what we’re looking at really here is a conflict of laws between European Data Protection Law and separately Privacy Law and US surveillance law. It’s a conflict of laws.
Adam Rose
But it’s not just the US now is it? Because I guess…
Jon Baines
Oh, indeed.
Adam Rose
… lots of organisations have entered into these standard contractual clauses when transferring data from their European operation to some other operation. You can just go in any sort of country, Thailand, Vietnam, we mentioned Bolivia, it doesn’t matter, Philippines. The whole bunch of countries where data gets transferred, where the recipient isn’t going to be able to say, hand on heart, ‘My country gives the relevant level of protection for people from your jurisdiction’ which is what this is really about, giving people GDPR-level of protection in a country which doesn’t have GDPR standards of rights.
Jon Baines
Yeah.
Adam Rose
I want to move on to, quickly, because sort of we’ll be coming to an end shortly, in terms of Brexit and the impact of this judgement and the impact of Brexit on UK controllers looking to send their data beyond the UK. Now, I guess they’ll be able to transfer their data to Europe. To the EU or to the EAA because there’s no doubt that has a level of adequacy for GDPR or post-Brexit GDPR-type law that we will have but beyond that, I suspect if the UK sanctions transfers of data to the US in circumstances where the EU Court has said, ‘You can’t do that’ the UK risks its own level of adequacy being questioned at the very time that we’re seeking an adequacy finding from the EU.
Jon Baines
I think so. Effectively we’re caught up in the mischief which has been identified in the US and you know, there have been a number, any number of discussions about what sort of arrangements will be in place between the EU and the UK post-Brexit.
Adam Rose
So I, I, I guess it’s possible that the UK could in deciding to go down its own route, let’s just sort of create a world post-Brexit, where the UK says, ‘We’re going to diverge from the European standard because it makes sense for us to attract, say Facebook, from its Dublin European Headquarters, to a Bard Castle Headquarters and it decides we’re going to attract Facebook here. We’ll have a low-tax regime. We’ll get Facebook here. We will allow Facebook UK to transfer data to America because we the UK have found that America’s okay, irrespective of what Europe has found’. Europe will then be bound to find that the UK doesn’t offer an adequate level of protection because we let our data go to funny countries like America but I could see that competition coming in between the UK trying to attract the world’s major technology companies, the Googles the Facebooks, the WeChats, the TikToks to get UK headquarters whereas Ireland has been very successful and Luxembourg have been very successful in attracting those companies until now.
Jon Baines
Yep. And look we, I said earlier that, we might be at the end point, but we might actually be part way through this debate. I think, on reflection, it’s probably the latter. You know, as we know, to an extent the law and regulation is always playing catch-up and yes, one can imagine that there may be circumstances in which the UK for a period becomes an attractive jurisdiction to… in which large companies might wish to base their sort of let’s say European Operations but just outside Europe. But that may be subject to future challenge.
Adam Rose
Well, indeed and so Schrems, Schrems III, I guess Schrems III is one of two things. It will be either, does the UK provide an adequate level of protection or binding corporate rules and I suspect binding corporate rules will be what Schrems III is about and to me it seems obvious based on these judgements that if he wins again the only other thing to add in in terms of the UK going its own way post-Brexit is if the UK Courts start undermining ECJ judgements such as this and creating a British version of it, which finds that we could have our own Privacy Shield with America. We could allow data to be transferred and it might be more important for the UK to have that US thing than for the rest of Europe but I suspect we’re sort of essentially at an end of this unless there’s anything final you want to add, Jon to it?
Jon Baines
I just wondered Adam, if there was a call to action for companies in light of this. I once again give the caveat that this is a very much initial reaction, well for me it is.
Adam Rose
I think companies…
Jon Baines
Sorry.
Adam Rose
Go ahead. No, no. Go ahead.
Jon Baines
I asked you the question.
Adam Rose
Give me the answer as well, Jon.
Jon Baines
Well, I guess the answer is if you, if a large part of your business is based on the transfer of data under standard contractual clauses or indeed I should start, if you are transferring data to the US under the Privacy Shield, then you need to very, very quickly review that arrangement because Privacy Shield is now invalid and so query the legality of those transfers. More generally, or moving forward, if a large part of your business is, involves the transfer of data understanding contractual clauses anywhere in the world you will need to be doing a review of those transfer arrangements.
Adam Baines
What there is… I guess what there is, is a drift up in that unless you can show that the recipient country provides a GDPR-like standard of protection and is a country which hasn’t yet got an adequacy finding that could be on the brink of an adequacy finding if it sought one. You shouldn’t be transferring data there now. How that plays out across all sorts of businesses strikes me as quite a nightmarish thing to be dealing with in the middle of a global pandemic on top of everything, coupled with Brexit. It’s a very challenging judgement. I suspect I’ve got to say, I think it’s the right judgement. I think it’s a consistent and coherent judgement from what I can see. But it’s a very difficult judgement in terms of what does it do? In answer to your question, companies which were well-prepared for GDPR and therefore know what happens to their data although 2 further years have passed on in time since GDPR came in. Hopefully, they know where there data’s going. Hopefully, they know the basis on which their data’s going. They need to be looking urgently to see what are they doing? How are they doing it? What’s the basis for them doing it?
Jon Baines
Yeah.
Adam Rose
And to close with the advert, I guess we’re here to help.
Jon Baines
Agreed.
Adam Rose
Jon, thanks a lot for your time this morning and thanks a lot.
The Mishcon Academy Digital Sessions. To access advice for businesses which is regularly updated, please visit Mishcon.com.