Judges’ move to restrict EU-US data sharing has big implications for banks

The decision today by the EU’s top court to restrict personal-data transfers to the US has been billed as a blow to the likes of Facebook. But it also has big implications for banks and other financial services firms.

The EU-US “privacy shield framework” was established by the European Commission and the US Department of Commerce in 2016, to legitimise transfers of personal data from the European Economic Arena to the US, and act as a limited adequacy agreement. Only transfers to companies in the US that self-certify under the Privacy Shield framework are covered.

But a complaint filed by an Austrian privacy activist and lawer, Maximillian Schrems, in 2015 now threatens to upend this transnational agreement. This case, known as ‘Schrems II’ because it followed an earlier complaint in 2013, was referred to the European Court of Justice in 2017, and judgement was pronounced today.

In 2013, Schrems questioned the transfer of his personal data by Facebook Ireland to its parent company Facebook US, using what was the EU-US Safe Harbor Framework, saying that it was incompatible with the Charter of Fundamental Rights of the European Union. Due to this case, the Safe Harbor Framework was invalidated in 2016, and led to the creation of the EU-US Privacy Shield Framework.

But in his second complaint, Schrems amended his argument against Facebook by challenging their transfer of his personal data to the US on the basis of EU Standard Contractual Clauses (SCCs).

So under the new case (Schrems II), the CJEU assessed the validity of both EU SCCs and the EU-US Privacy Shield Framework.

EU SCCs are contractual clauses which must either have been adopted or approved by the European Commission, and are intended to provide appropriate safeguards for international data transfers under Article 46 of the GDPR, provided that the SCCs are adopted completely and unaltered.

Though the legal case was triggered by concerns over Facebook in particular, it will have far-reaching implications not only for tech companies but many other organisations, especially those in financial services.

Banking, fund management and insurance firms all have complex dataflows that generally involve multiple international data transfers with likely several different organisations based in the US. For those currently relying on the Privacy Shield mechanism, they will need to review their transfer mechanism and implement an alternative safeguard to continue the exchange of personal data with the US lawfully.

The striking down of the Privacy Shield framework creates further operational burdens for the many thousands of EU organisations that rely upon the self-certification mechanism to legitimise their EU/US personal data transfers.  Until such time as a new mechanism can be introduced, alternative transfer safeguards will need to be rapidly implemented, representing another huge distraction for EU organisations that are already focused on their Covid-19 response and Brexit preparations.

Never before has data protection been elevated to such a high level of priority within organisations as now, but momentous events like this morning’s decision mean that from now on, even more focus is going to be required.

Rob Masson is CEO of the DPO Centre, a provider of data protection resources and consultancy