This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.bbc.co.uk/news/technology-53418898

The article has changed 4 times. There is an RSS feed of changes available.

Version 0 Version 1
Companies hope to avoid 'catastrophic' EU data-transfer ruling EU-US Privacy Shield for data struck down by court
(about 5 hours later)
An imminent privacy ruling has the potential to cause chaos for companies which transfer data out of the EU. The European Court of Justice has declared invalid one of the two legal methods companies use to transfer EU citizens' data to the United States.
Legal experts are confident that a "worst-case" judgement will not be reached, but still warn of far-reaching implications. They had been able to transfer data by signing up to higher privacy standards under the EU-US Privacy Shield.
It involves a case against Facebook by a privacy advocate who objected to his information being sent to the United States. But they will now have to sign standard contractual clauses, non-negotiable legal contracts drawn up by Europe, which the court chose not to abolish.
Thousands of companies rely on the existing measures, which are at risk. The ECJ was concerned about companies handing data to intelligence agencies.
The case before the European Court of Justice (ECJ) is complex, but hinges in part on the concern that US law requires Facebook to hand over personal data to authorities such as the National Security Agency or FBI. Surveillance laws
Max Schrems, an Austrian national, lodged a case in 2013 after the Edward Snowden leaks revealed the extent of US surveillance. Max Schrems, the Austrian privacy advocate who brought the case, said: "It seems we scored a 100% win for our privacy.
As a result, the ECJ overturned the long-standing "Safe Harbour" arrangement in 2015. "It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market."
In the aftermath, the EU and US came up with alternatives, which Mr Schrems challenged again, and this is now before the European Court of Justice. European data protection law says data can be transferred out of the EU - to the United States or elsewhere - only if appropriate safeguards are in place.
"The concern has always been: when data leaves Europe, what's happening to it? It may not have equivalent rights, and individuals may not have equivalent protection," explained Jonathan Kewley, co-head of Technology at law firm Clifford Chance. But the ECJ said US "surveillance programmes... are not limited to what is strictly necessary".
Most very large firms use what are called SCCs - pre-written non-negotiable contracts drawn up by Europe, which legally commit companies to upholding certain standards. "The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred," it said.
An opinion written by an advocate-general written in December recommended that SCCs remain, despite some concerns. However, the court is not bound to follow that recommendation - and could still declare them invalid. "The limitations on the protection of personal data arising from the domestic law of the United States... are not circumscribed in a way that satisfies requirements."
Mr Kewley said that was "unlikely", but if it did happen, it would be "pretty catastrophic". 'Bold move'
"It would be an extreme and unwelcome decision... and I'm not just talking about technology companies. This is about every business." The EU-US Privacy Shield system "underpins transatlantic digital trade" for more than 5,000 companies, about 65% of which are small-medium enterprises (SMEs) or start-ups, according to UCL's European Institute.
This would affect most countries outside the EU. It could, for example, affect a firm that wants to send human resources or payroll data to a head office outside the EU, or one which wants to store personal records in cloud storage located in the US. "This is a bold move by Europe," Jonathan Kewley, co-head of technology, at law firm Clifford Chance, said.
It would not affect strictly-necessary data transfers - for example, emailing a hotel abroad to book a room, or visiting a website based in China. "The courts are saying that the surveillance regime in the US does not respect the rights of EU citizens and puts US state interests over the interests of individuals.
Mr Kewley said a "much more likely scenario" is that SCCs are policed more closely in future, or considered on a case-by-case basis. "What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot."
Any decision is unlikely to affect the UK, even after the Brexit transition period ends at the end of this year. And it could mean "more Europe data localisation, with more customer data staying in Europe as a result".
European GDPR (general data protection regulation) rules have been adopted into UK law, and it is widely expected - although not certain - that a so-called "adequacy decision" will be granted, effectively saying that the UK's privacy rules are up to EU standards. Mr Schrems lodged a complaint against Facebook transferring data to the US in 2013, after leaks by ex-CIA contractor Edward Snowden revealed the extent of US surveillance.
That could change in future if the UK changes its laws to deviate from the current standards. His first case ended with the ECJ overturning the long-standing Safe Harbour arrangement, in 2015.
Privacy Shield and SCCs were created as alternatives.