By Eamon Holley
How potential changes to Standard Contractual Clauses, which allow for data transfers to occur between data controllers in the European Economic Area, could impact businesses in the Middle East
The EU GDPR – or General Data Protection Regulation to give it its full name - has been described as "data protection 2.0". To carry the software analogy further, you could consider it an updated version of a software that relies upon some old bug-laden code. But then again no software is perfect.
One such buggy feature of the updated EU data protection framework is the "Standard Contractual Clauses" ("SCCs") issued by the European Commission ("EC") in 2001, 2004 and 2010. The SCCs are designed to allow for data transfers to occur between data controllers in the European Economic Area ("EEA") and other data controllers or data processors that are outside of the EEA but which are not in countries that have been determined by the EC as having adequate data protection laws.
Currently the EC has not placed any Middle Eastern or African countries on this "adequate list", and so SCCs have been commonly used by controllers transferring personal data to other controllers or processors within the Middle Eastern region.
Max Schrems is a lawyer and privacy activist already known for his successful challenge of the US Safe Harbour scheme. The US Safe Harbour scheme allowed for transfers of personal data from the EEA to companies in the US that self-certified that they were compliant. Max Schrems was concerned that personal data transferred to the US would be subject to US surveillance, and that US surveillance of data was not tempered by the same protections that EU citizens had against state surveillance in the EU.
Mr Schrems first complained to the Irish Data Protection Commissioner, which rejected his complaint. He then filed a case before the Irish High Court, which referred the matter to the Court of Justice of the European Union ("CJEU").
In 2015 the CJEU found that in US Safe Harbour scheme was invalid. The EC and US scrambled to replace the US Safe Harbour scheme with an updated mechanism called the US Privacy Shield, which included an ombudsperson. Mr. Schrems, not satisfied with this remedy, has continued to challenge the US Privacy Shield, as well as the SSCs, on the basis that neither instrument sufficiently protects EU based data subjects from foreign governments surveillance. Again he has commenced a claim in the Irish High Court, and again the Irish High Court has referred questions to the CJEU.
There is a risk then that the SSCs could be invalidated, in which case the legal mechanism by which many regional businesses rely upon to receive personal data from the EEA could fall away.
On July 9, 2019, the CJEU heard representations from various stakeholders on the matter, including Mr. Schrems, the Irish Data Protection Commissioner, Facebook, Electronic Privacy Information Centre, Business Software Alliance, DigitalEurope, Ireland, Germany, France, Netherlands, Austria, the UK, the USA, European Parliament, European Commission and the European Data Protection Board.
The purpose of the hearing was to allow the various stakeholders to make oral representations on their various positions. One representation which may have surprised some, including Mr. Schrems, was the Irish Data Protection Commissioner's ("DPC") position. The DPC, which in 2013 was originally sceptical of Mr. Schrem's position to say the least (then the DPC rejected his initial complaint), made representations to the CJEU that there are a number of risks with the current framework, including around sufficient judicial review of surveillance, and that the SCCs should not be used for EU-US transfers.
Many commentators in Europe consider it is quite likely that the Court will invalidate the SCCs.
As such, a decision could have a chilling effect upon international personal data flows, given the interconnected and data-driven nature of the modern global economy such a decision could at a minimum be problematic and at worst be catastrophic.
You might think that it would be easy for the EC to anticipate that SCCs could be invalidated, plan ahead and then put a Plan B (or Plan C) in place to replace SCCs with another mechanism. Well, to put this in context, the GDPR has been contemplated in one form or another since 2012, and was published in 2016 with a 2 year lead in before it became effective in 2018.
In that time the SCCs (published in 2001, 2004, and 2010) have not been updated to make reference to the GDPR and, despite the new GDPR provision explicitly expanding the EC's data protection jurisdiction to non-EU entities that were providing goods or services to people in the EU, or monitoring their behaviour, and the GDPR imposing some new obligations upon EU based processors, including in relation to transferring data form the EU, the SCCs were not updated to contemplate for this scenario.
The situation with the SCCs as they were drafted was already unsatisfactory for many businesses and their advisors outside of the EU. But, as noted above, nothing is perfect, and so even something imperfect may be preferable to nothing; the threat of imperfect SCCs being invalidated, and the potential risk that their invalidation will be considered invalid from the beginning, is even worse.
The CJEU's decision will be retrospective unless it expressly decides that the decision is not retrospective. A retrospective decision would mean that businesses relying upon the once valid SCCs will then be at risk of fines from EU data regulators or compensatory claims from data subjects.
The CJEU, and then possibly the EC, have some difficult decisions ahead. As businesses and governments are discovering all over the world, the benefits of the new digital data-driven economy are accompanied by new issues that have only been fully appreciated by a few very forward looking thinkers to date.
The obvious benefits need to be balanced against the expectations of privacy by users and the needs of businesses to access data readily, and the desire of governments to maintain security in a world filled with hitherto unanticipated threats.
Unless the EC puts in place another mechanism by which data can be lawfully transferred from the EEA to the Middle East, there are some limited options that such Middle East businesses have. There are some mechanisms available under the GDPR, such as Binding Corporate Rules, or certain derogations for occasional use. These may not be suitable to all circumstances. Another, but risky, option is to continue transferring the personal data in any event, at the risk of fines or compensatory claims referred to above, and possible reputational damage.
Before you hit panic buttons it pays to know what you're actually exposed to. It is unlikely that a final decision will come down before 1 year from the hearing, and so businesses have some time to consider contingencies.
The first step in any compliance plan is to know what you're actually doing now. In this case it means analysing your business's data flows, which could include transfers of data from the EEA to the Middle East, determining what transfer mechanism is being used, how crucial the data transfers are to the business, and likely impacts of not being able to continue such transfers.
Once this assessment is made, then strategies can be developed and decisions taken about what contingencies might be put in place in the event that SCCs are ultimately determined invalid.
As regional governments start to implement their own national or sector specific data protection laws, this issue will only become even more complex for regional businesses. It will pay off to be as prepared as possible in advance of this.
Eamon Holley is a partner at Dubai-based legal firm DLA Piper and part of its Intellectual Property & Technology Team