The Court of Justice of the European Union (CJEU) struck down the “EU-US Privacy Shield”, an intergovernmental agreement on which thousands of US companies based their data processing with EU trading partners and consumers. At the same time, the CJEU generally upheld so-called “standard contractual clauses” (SCC) for data exports but imposed new requirements on their use.
The decision has an immediate impact on data flows between the USA and the EU. But it will also create new challenges for Australian companies that engage with Europe.
The global reach of European privacy laws
In 2018, the EU brought into force the General Data Protection Regulation (GDPR), one of the world’s strongest privacy protection frameworks. This latest decision provides further evidence that the GDPR has impact far beyond the EU. It allows data about European citizens to be exported outside the bloc only if an adequate level of data protection is guaranteed.
Adequacy can be demonstrated at country level, and some major trading partners of the EU (such as Japan, Canada and New Zealand) have been certified by the EU as having a comparable level of privacy protection. Until a fortnight ago, US companies could likewise rely on an adequacy decision for the EU-US Privacy Shield. The Privacy Shield allowed companies to self-certify their data practices against a set of minimum criteria and enhanced US regulatory oversight. The Court has now held that this is not enough.
What does this mean for Australia?
Australian companies and consumers need to be mindful of the new CJEU decision. Data exports are very common, particularly where companies operate multi-nationally, outsource some of their data processing or store data on overseas cloud servers.
Australia was not a party to the EU-US Privacy Shield. It also does not have EU adequacy status. This is because our Privacy Act does not apply to small businesses, employee data, and political parties, amongst others. An EU entity that seeks to export personal data to Australia therefore needs to use other safeguards to ensure that EU personal data remains protected.
This is commonly done in the form of standard contractual clauses, by which the sender and recipient of data agree that their data processing meets GDPR standards. The CJEU has now clarified that companies and regulators must verify in each case that the clauses stand up in light of the recipient country’s data laws.
Deepening global divisions and the trend to data localisation
To comply with the ruling, companies need to engage in a more detailed risk analysis than before. In some cases, data may no longer be transferred. This is likely to contribute to an international trend to house critical data locally. A recent example of this trend is the COVIDSafe app: the data it collects must remain in Australia.
The CJEU decision comes at a time of intense public debate of privacy in Australia and many other countries. The COVID-19 pandemic has turbo-charged the digitalisation of many aspects of daily life. Every digital transaction leaves traces in the form of personal information, which could be a target for data mining and surveillance by corporate and state actors.
It would be sensible to adopt internationally harmonised data protection standards to regulate global data streams. But the world appears currently headed in the opposite direction.
Apart from the long-standing EU-US division over privacy, China, India and Russia have also begun to assert their own distinct data processing models. These powers generally give their citizens fewer privacy rights than the EU. They also make increasing use of data localisation requirements, which prohibit or impede data export, to enforce their own data protection protocols. The intensifying conflict between the US and China, most recently erupting over the new security laws for Hong Kong, also marks data governance and cybersecurity as significant battlegrounds.
Australia’s new challenges in data protection
Australia’s data regulation tends to be pragmatic and business-friendly. It steers a middle course between the conflicting privacy approaches of the US and the EU. However, in a world retreating from globalised regulation, it is becoming increasingly difficult not to take sides.
Privacy is looming larger than ever in public consciousness, and Australia’s Privacy Act is due for an overhaul. More than ever, Australia needs to determine its own course in safeguarding personal information against potential overreach by corporations and governments.
- ^ ruled (curia.europa.eu)
- ^ Tough new EU privacy regulations could lead to better protections in Australia (theconversation.com)
- ^ brought into force (theconversation.com)
- ^ certified (ec.europa.eu)
- ^ EU-US Privacy Shield (www.privacyshield.gov)
- ^ does not have EU adequacy status (www.oaic.gov.au)
- ^ now have to work out (iapp.org)
- ^ COVIDSafe app (theconversation.com)
- ^ in Australia (www.cmo.com.au)
- ^ turbo-charged the digitalisation (www.computerworld.com)
- ^ need for cooperation (www.reuters.com)
- ^ long-standing EU-US division over privacy (www.politico.eu)
- ^ data governance and cybersecurity (www.politico.com)
- ^ Privacy Act is due for an overhaul (treasury.gov.au)
Authors: Normann Witzleb, Associate Professor in Law, Monash University