Industry figures have warned that a decision today to ban Privacy Shield, a data-sharing deal between the EU and the US, will compromise the UK’s hopes of securing its own data-sharing agreement at the end of the Brexit transition period.
Judges at the European Court of Justice (ECJ) today banned the Privacy Shield data-sharing agreement between the US and the bloc over surveillance concerns, and said that national regulators need to take tougher action to protect the privacy of users’ data.
In a statement, the court said the US’ data sharing policies “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”
The ruling comes as a major blow to thousands of tech companies, social media firms, banks and law firms that use the agreement to transfer large swathes of data between the US and Europe.
However, legal experts have warned that the court decision will particularly impact British businesses when the UK formally leaves the EU at the end of the transition period on 1 January.
Daniel Tozer, head of data and technology at law firm Harbottle & Lewis said the ruling may compromise the UK’s chances of securing a post-Brexit data sharing agreement from the EU.
“Following the transition period, the UK will become a ‘third country’ to the EU. This judgement raises questions about the UK’s ability to be awarded data protection ‘adequacy’ by the EU, given the UK’s own surveillance laws and its membership of the Five Eyes programme,” said Tozer.
“Data transfers between the EU and the UK from 1 January 2021 could well become very challenging indeed.”
In November, the UK secured a deal with the US to make it easier to share data between national security bodies in the two countries. But the European Data Protection Board warned that the deal may jeopardise the UK’s chance of securing an independent data sharing agreement with the EU after Brexit.
The Prime Minister in February said the UK was planning to set up sovereign controls over its data sharing policies, and that Britain could diverge from EU rules once it leaves the bloc.
But the ruling today means the UK’s surveillance laws are likely to be subject to similar scrutiny to those of the US, as the European Commission attempts to weigh up whether UK laws respect the privacy rights of EU citizens.
The UK has embedded the EU’s GDPR into its own national law, but Britain has a questionable track record in mass surveillance schemes. A landmark European Court of Human Rights ruling in 2018 found that the UK had breached human rights protections in its mass surveillance program by Britain’s spy bodies, initially revealed by Edward Snowden in 2013.
The EU has subsequently called for a “high level of personal data protection” in its trade negotiations with Britain, and has said that any data sharing deal must “fully respect the Union’s personal data protection rules”.
Mark Lubbock, partner in the innovation and technology group at law firm Brown Rudnick said the decision will likely cause a headache for all governments, but in particular will make data transfer between the UK and the EU much more difficult post-Brexit.
“Large swathes of EU-US data transfers may be in breach of GDPR [rules] and, once the transition period is over, data transfers between the EU and the UK will become much more difficult.”
“One would like to think this issue was foreseen and an effective response is prepared and ready to be put in place but, given what we have seen in terms of the US, EU, [and] UK governments’ responses to Covid-19, I fear there is a risk that this is not the case.”
Bridget Treacy, data privacy partner at London law firm Hunton Andrews Kurth, added that the UK government may now have to rethink its surveillance bodies to bring them in line with EU law.
“This was an unexpected result,” said Treacy. “For businesses that transfer personal data… this represents the worst of all possible outcomes.
“The ruling on the Privacy Shield is likely to have implications for the UK’s hopes for a post-Brexit data protection adequacy ruling from the European Commission. The UK can expect its surveillance laws to be subject to similar scrutiny to those of the US, to assess whether they respect the privacy rights of EU citizens.”