Some of Europe’s largest companies have called for guidance on how they should transfer data to the US, after facing legal challenges from activists.
Meal delivery group Just Eat Takeaway, Danske Bank and the University of Luxembourg all said they wanted clarification from regulators after Noyb, a non-profit privacy campaign group, filed official complaints against them and 98 other organisations for failing to protect the data of their users.
Noyb’s founder, Max Schrems, won a ruling at the European Court of Justice in July which invalidated Privacy Shield, the transatlantic agreement used by around 5,000 companies to transfer data from the EU to the US.
Mr Schrems successfully argued that the data of EU citizens was not as safe in the US as in the EU because of the threat of surveillance by US intelligence agencies, and that it was not clear that the mechanisms of the Privacy Shield could offer genuine legal redress.
Since the ruling, companies have relied on individual legal agreements, known as standard contractual clauses to transfer data, but even here, the ECJ suggested they may need to create additional safeguards to make sure data is protected to EU standards.
The only data protection authority to offer specific rules to date has been the DPA in Baden-Württemberg in Germany. Among its suggestions were for companies to encrypt or anonymise data to avoid it being snooped on in the US.
On Friday, the Wall Street Journal reported that Facebook had lodged an appeal against a preliminary order by the Irish Data Protection Commissioner to stop transferring data to the US.
In a post on Wednesday, Nick Clegg, vice-president of global affairs at Facebook, noted that a lack of safe, secure and legal international data transfers would “damage the economy and hamper the growth of data driven businesses in the EU.”
The Irish DPC declined to comment.
Meanwhile, Noyb has filed complaints to national data regulators in Europe against 101 European websites that use Google Analytics or Facebook Connect, arguing that they are not compliant with the ECJ ruling.
“Noyb is . . . challenging the legitimacy of [the standard contractual clauses] and, if successful, the repercussions for transatlantic digital trade will be huge,” said Mark Kahn, general counsel and vice-president of policy at customer data platform Segment.
European justice commissioner Didier Reynders acknowledged that there was “no quick fix” for transatlantic transfers in a European Commission committee last week. “It’s a real political debate; it’s not just a technical issue.”
The European Data Protection Board said last week that it had formed a task force to handle Noyb’s complaints in a consistent fashion, and that it was working on additional information on measures companies can take to secure data transfers.
While talks are under way between the US and EU to find another mechanism, lawyers suggested that any future system would also be attacked by privacy activists without major changes to US surveillance law.
“The problem is there’s still no judicial redress [for EU citizens’ whose data is transferred to the US],” added Romain Robert, a senior lawyer at Noyb. “If they just make another [Privacy Shield] they’ll have a Schrems III, a Schrems IV.”
Bridget Treacy, partner at Hunton Andrews Kurth noted that the challenge of protecting EU citizens from surveillance may restrict data transfers to many other countries, such as those with poor human rights records or mass surveillance laws.
The UK may also fall into that group after Brexit, when it will have to seek an agreement from the EU that its data protection regime is adequate.
“The greater scrutiny and higher standards under Schrems II don’t spell high hopes for an adequacy decision by the start of January 2021,” warned Tom de Cordier, partner at CMS.
An ICO spokesperson said that it welcomed the government’s commitment to maintaining high data protection standards and its intent to seek “adequacy decisions” from the EU to allow personal data to continue to flow freely.