It may have started with WikiLeaks and Edward Snowden, but the fallout from the world of international espionage is now about to have a huge practical impact on all of us in the charity and commercial sectors.
A landmark ruling on 16 July 2020 from the European Court of Justice looks set to undermine the way in which personal data is processed by companies and charities, and it won’t make life easier. The General Data Protection Regulation (‘GDPR’) introduced in 2018 for countries in the European Economic Area enshrines a whole host of rights and legal remedies for individuals regarding how their personal details are used. These have been adopted into UK law by the Data Protection Act 2018. Whilst law abiding entities in the EU are considered safe recipients of shared data, provided they take care to protect its privacy and security, anyone sharing data outside of the EU (or the UK) has to ensure that the rights of individuals will enjoy the same protections as under GDPR. You may think that you aren’t sharing data, with anyone, inside the EU or otherwise, but there’s a very good chance that you are. If you take the sensible precaution of backing up data, including the personal details of staff, donors, volunteers, clients or customers, the company that provides that service to you may well be outside of the EU, and many are based in the USA. Similarly for email platforms like MailChimp (based in Atlanta, Georgia) or Constant Contact (Waltham, Massachusetts) that many organisations use for email mailshots and bulletins. In each case, the lists of contacts you share with these service providers may well be transferred outside of the EU. None of this was an insurmountable problem until the decision from the ECJ in the Schrems case and the chilling effect of Snowden (see what I did there?). Max Schrems is an Austrian privacy activist who challenged Facebook’s privacy protocols through a complaint to the Irish Data Protection Commissioner. The basis of the challenge was that Edward Snowden’s whistleblowing had revealed the extent of US intelligence intrusion into private data records, meaning that even well-meaning US companies could not guarantee the security of the data they received from the EU, and EU citizens would not be afforded the rights and remedies that GDPR entitled them to. Initially the European Commission and the US relied upon the Safe Harbour Agreement, meant to guarantee the same rights for EU citizens whose data was transferred to the US, but this was struck down in the Schrems I ruling in 2015. The latest ruling, in what has been called Schrems II, has now also struck down the Privacy Shield Arrangement that replaced Safe Harbour. Many organisations were already relying on standard contractual clauses (‘SCCs’) to ensure that personal data was treated to the same standard in the US as in the EU – and it’s a GDPR requirement that any sharing of data is formalised in an agreement between the parties. The ECJ ruling has not ruled these to be invalid, but there remains a fundamental problem even with SCCs. If a recipient of data cannot guarantee the privacy of the data shared with them, even if it is from US government snooping rather than from criminal hackers, how can they ever meet GDPR standards? In which case how can a data controller lawfully share data with them? The European Data Protection Board advises against relying on SCCs with US companies and recommends that those sharing data must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. It says that "the receiver of the data may be able to assist you with this", so you can interrogate your US data processor as to how they can ensure the adequacy of their terms and conditions. It's not clear how they can. Just to make matter more interesting still, post-Brexit Britain is now in a rather odd position. It has adopted GDPR standards, but it and its citizens are not in the EU or subject in the same way to the EJC and its rulings. But if the UK breaks ranks and concludes a new Privacy Shield-type bilateral arrangement with the US, no EU based companies will be able to share data with UK companies. And if the UK throws in its lot with Europe, US companies will have to be off limits for UK organisations who need to share data. So far the UK regulator, the ICO, has yet to come up with any clear guidance - as their website says, "The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice." The US government has already said that it will not compromise its security practices and so it will be for big-tech and their lawyers and lobbyists to find ways through and around this – so watch this space!