BRUSSELS (Sputnik) – In the wake of the Cambridge Analytica-Facebook data scandal, a new EU regulation is set to toughen rules on data flows for foreign-based companies and bring all EU states in line with a single set of standards for protecting Europeans’ personal data, legal industry experts told Sputnik.
On May 25, the EU Data Protection Directive 95/46/EC on the protection of personal data will be replaced by a General Data Protection Regulation (GDPR). The preparation of this move has been long in the making, but it was suddenly put in the limelight by the “Facebook affair,” the discreet use of personal data of millions of Facebook users by consulting firm Cambridge Analytica without their consent.
Tougher on Multinationals
Speaking to Sputnik, Rebecca Cousin, partner at London-based law firm Slaughter and May, said that the new regulation is designed to expand the scope of EU citizens’ data protection to companies based to foreign-based companies and toughen the financial consequences of leaking data to third parties.
“The new regime has extraterritorial effect so it will apply to companies who do not have an EU base if they offer goods or services to individuals in the EU or if they monitor their behavior. This will bring many more entities within the scope of the EU data privacy regime and we are therefore seeing companies from around the world assessing the impact of the GDPR on them and what steps they need to take to comply,” she said.
In terms of financial penalties, Cousin, who co-heads the Slaughter and May Data Protection and Privacy practice, explained that companies will not only face a manyfold hike in potential losses if they fail to protect their customers’ data, but also a greater number lawsuits by individuals as an outfall of greater awareness in the wake of the Cambridge Analytica scandal and the EU response.
“In the new regulation, sanctions are increasing with fines having a maximum of 4% of worldwide annual turnover (or EUR 20 million if higher). To give a comparison, the maximum level of fines in the UK is currently £500,000. The size of the fine is, therefore, a much greater deterrent for internet giant firms such as Facebook or Google, albeit the reputational impact has always been a strong deterrent. It will continue to be important for many companies. The fines go to the regulators as opposed to individuals bringing claims for damages. I expect an increase in civil cases against companies for data issues in part due to the greater awareness of individuals’ rights and claims companies are starting to promote the ability to bring these type of claims,” she said.
A Regulation to Replace a Directive
The first basic question is to wonder why a directive, a European law, approved by the European Parliament and then transposed by each country into its national legislation, must suddenly be replaced by a European regulation, immediately applicable to all.
The reason is to eliminate delays and time losses that result from each country deciding on data flow regulations autonomously, often slightly different from the original directive, with some oversight by the European Commission, according to legal industry experts.
“Of course, nowadays such data can easily be transferred outside the Union to countries which do not necessarily guarantee an equivalent level of protection. In order to prevent these data from being used contrary to European rules, the Directive specifically targets “cross-border flows” (ie transfers of personal data outside the European Union). The directive prohibits such flows to third countries that do not provide a level of protection which it qualifies as “adequate”. The European Commission is responsible for deciding whether a country provides such a level of protection. If this is not the case, the Directive nevertheless allows a transfer subject to compliance with certain conditions, for example where the controller provides ‘adequate guarantees’,” Says Jean-Francois Bellis, from the Brussels law firm Van Bael & Bellis, told Sputnik.
Until 2013, the United States was considered as “safe” with no transfer problems. Europeans lived under the “Safe Harbour” agreement between Brussels and Washington.
But then, on June 6, 2013, Edward Snowden, a computer specialist working for the CIA and the NSA, revealed the scale of the surveillance that the NSA was doing on US and foreign networks, including social media. Europeans were listened in by the CIA. This was a huge scandal at the time. Snowden, the whistle-blower, sought refuge in Hong Kong and then Russia, where he has obtained asylum until 2020.
How Ireland Comes Into Play
With regards to the specifics of Facebook’s presence in Europe, which until recently used Ireland as a base for its tax and revenue operations, experts explained that data transfers out of Europe to the United States have yet to be determined by the Court of Justice of the European Union (CJEU), which has yet to make a ruling on a five-year-old legal case against Facebook. The proceedings were initiated in 2013 following a complaint lodged by Austrian lawyer Max Schrems with the Irish data protection authority.
“Why Ireland? Because Facebook Ireland shared the European data with Facebook Inc in the United States. According to Mr. Schrems, the surveillance program of the US national security agency, which Edward Snowden had just made public, was incompatible with European fundamental rights and, as a result, according to Schrems, Facebook had to suspend cross-border data to the United States to the extent that it could potentially be subject to massive surveillance by the NSA. This procedure gave rise to a preliminary question to the CJEU, which in 2016 annulled the EU-US Safe Harbor,” Jean-Francois Bellis said.
Of course, the European Commission, the US government and the companies involved tried to find a solution to enable the data flows to continue across the Atlantic.
Following the cancellation of the Safe Harbor agreement, Facebook Ireland abandoned the so-called “adequacy” system for a system of “sufficient guarantees” and has entered into a contract with Facebook Inc. incorporating the “Standard Contractual Clauses” of the European Commission. These Standard Contractual Clauses were recognized by the European Commission as offering “sufficient guarantees” for cross-border flow.
But for the Austrian plaintiff Schrems, these measures were not enough. He turned to the Irish Data Protection Commissioner (DPC), which could suspend such a transfer. However, the Irish DPC chose not to suspend the transfer but transmitted the hot potato to the CJEU.
The Court of Justice of the European Union should, therefore, provide answers to a number of questions that will determine whether the Model Contractual Clauses can still be used for transfers of personal data to the United States. The importance of this decision is considered as thousands of companies make use of such Standard Contractual Clauses.
“The Irish court has the ability to refer questions of European legislation to the ECJ where it needs a ruling on the law in order to be able to apply it to the facts of the case. The only certainty now is that it won’t be a quick process to get the ruling of the European Court of Justice,” Rebecca Cousin from Slaughter and May said.
I could be another two years before the European court gives an answer and states whether Facebook and the other internet giants can export European data to the United States. Urgent issues can wait a little longer.