Brian Siney of BeSecure Jersey weighs up the potential impact of the EU’s recent data protection ruling against the US
Looking back over the last few months, there was one pivotal legal decision to note: the EU’s Court of Justice ruling in the Schrems II case, whereby it invalidated the Privacy Shield international framework for the transfer of data from the EU to the US. The ruling comes five years after the Schrems I case, which invalidated the previous framework Safe Harbor. The decision was based on the overreaching powers of US surveillance, which ultimately erodes the data protection rights of EU citizens.
The second element to the case was the confirmation that the Standard Contractual Clauses (SCC) mechanism for data transfer was deemed legal. In the immediate aftermath of the decision, European and US businesses scrambled to understand the impact of this decision and looked for possible alternative solutions, such as those available in Article 49 of the GDPR. Only time will tell if the disruption is temporary or permanent.
What is fascinating about this case is the growing influence and power of the “new” EU data protection law, which is quickly becoming the global standard in data protection. Countries around the world are adopting this framework, which is beginning to have serious implications on big tech organisations such as the global US social media companies. Not only is the possibility of incurring large fines such as the highly publicised 4% of global annual revenues under GDPR a concern, but sanctions that can have an immediate effect on business arrangements to restrict their operations is surely a big worry for their shareholders. EU citizens data protection rights versus big tech global dominance, US surveillance, new technology intrusive capabilities, are all various perspectives one could view the current developments.
I am excited to see how our rights will be protected and enforced in this new “GDPR world”. We must support and properly finance our European and local data protection regulators to achieve this.
We must not forget Brexit too. The UK is only a few weeks away from the end of the transition period arrangements with the EU. Will the EU give the UK the “adequacy” status (recognising the equivalence of its data protection law to GDPR law) so badly needed to avoid yet another headache for UK businesses already reeling from Covid-19? Jersey too will soon have its adequacy status reviewed by the EU, which will no doubt put a spotlight on our data transfer arrangements with the UK and our ability to implement effective data protection rights of not only Jersey citizens but also European citizens.
It will be fascinating to see how it pans out, which is why at BeSecure we help businesses and organisations understand what impact legal developments like this will have. We’re here to help you respond and offer support with the ongoing compliance and to help make data protection and data privacy an integral part of your business’s DNA.