How the recent decision in Schrems II has consequences for any future Brexit deal with the EU
An unprecedented amount of interest within the global privacy community was generated on 16 July 2020 when the Court of Justice for the European Union (CJEU) delivered its verdict in the case brought by Maximillian Schrems against Facebook Ireland (Schrems II).
Europe’s highest court found that the EU-US Privacy Shield mechanism was invalid for protecting the fundamental rights and freedoms of EU citizens enshrined under Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) whose personal data was transferred to the US.
And while the CJEU choose not to go down the same road for Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCRs), there was qualified support for continuing to use these alternative data transfer mechanisms, with the heavy caveat that SCCs or BCRs wouldn’t automatically be OK to use in every context unless there’s been due diligence by the exporter with the assistance of the importer to ensure that the transfer complied with European law.
As you can imagine, this has left a lot of organisations and companies in limbo and has created an increased workload for their privacy advisors and lawyers as they grapple with interpreting the judgment whilst awaiting guidance from Supervisory Authorities in relevant EU Member States. Berlin has already declared that SCCs can’t be used for transferring personal data to the US.
With all this uncertainty in the air, what are the implications for UK Government in its negotiations with the European Commission and what can companies and organisations expect to see over the horizon after the 31st December 2020?
One consequence of Schrems II for the Brexit trade talks is the newfound confidence of the European Union in flexing its muscles and not shying away from making difficult decisions. The CJEU decision in Schrems II embodies that confidence.
If the UK Government is looking for a free trade agreement and a relaxation of data privacy standards as they apply to EU consumers, this is a non-starter.
If the UK wants to appear to be more attractive for inward investment by having a ‘lighter touch’ data privacy regime, then this could also be another red line for the European Commission in acceding to the UK Government’s request for adequacy status.
With a lot of talk from the European Commission about maintaining a competitive level playing field, the UK’s Brexit negotiators have other thoughts on their minds.
And that could be eating the EU for breakfast as the UK turns from being a long-standing member of the EU family to declaring ‘it’s either my way or no way!’
Time is running out for the negotiations to conclude in the available months ahead.
And given that EU Member States are now preparing for a second wave of the Covid-19 pandemic this Autumn, you could be forgiven for thinking that their focus will be on other things other than striking a Brexit deal.
And remember, British PM Boris Johnson explicitly ruled out asking for any extension past the end of the year for ‘getting Brexit done’.
Let’s hope the UK isn’t afflicted with a second wave of the deadly virus as it could knock out some of the UK’s negotiating team in the process.
There are some optimists who believe all this noise from both sides is posturing and at the 11th hour, both sides will sign up to ‘something’.
Yeah, there’s a lot at stake economically both for the EU and the UK. And let’s face it, all the European economies are on their knees, so a deal is in everyone’s best interests.
And yet both sides continue to accuse each other of being ‘ideologically driven’ in these tough times. Perhaps they are both right on this point but let’s hope they can find a way forward to strking a trade deal.
As anyone who’s been involved in any type of negotiation – including those with small children – experience shows you’ve got to adopt the mindset of finding a compromise to get a deal done.
The infographic tries to touch on what the outcomes could look like, although I’m not confident the ‘full English breakfast’ will be served when both sides come to the end of their negotiations and leave the table fully satisfied.
I’m not a pessimist at heart but academics who’ve been watching what’s been going on have made some interesting observations.
Schrems II is an excellent example of what Professor Ana Bradford described in her book ‘The Brussels Effect’.
Bradford argues that Brussels continues to exert influence across global markets, particularly as companies must comply with higher data protection and privacy standards as a result of the GDPR that’s influenced convergence of data privacy standards in jurisdictions outside of the EU/EEA.
The hypothesis is that the EU is an influential superpower that shapes the world in its own image. By promulgating laws and regulations that transform the global business environment across many sectors, elevating standards such as data privacy worldwide, the EU has managed to influence competition policy, data privacy, online hate speech, consumer health and safety and environmental protection.
Even a partial deal with the EU will still be very challenging to swallow. For example, there could be partial adequacy for the UK, meaning that certain sectors have adequacy and other sectors don’t. So even more confusion is set to come.
A no-deal Brexit could be the place we end up. And it’s not pretty. All EU-UK data transfers are now heavily restricted, and UK now trades with EU on WTO terms. That could spell disaster for financial services, healthcare, retail and other sectors.
In such a scenario, legal confusion and uncertainty will reign supreme as no adequacy decision granted to UK or market sectors could be a possibility, with a threat to UK exports, such as services, but equally it’s a threat to the economy of the European Union to let the UK go without a deal.
Let’s remain positive but plan for the worst-case scenario in the meantime.
The UK Government’s new 38 sheet poster campaign sums this up brilliantly: “UK’s New Start – Let’s Get Going”.
Written for CLARC by Ardi Kolah is founding Editor-in-Chief of the Journal of Data Protection & Privacy.