The question of legal liability still hangs over lawyers as a concrete solution is not yet forthcoming.
What has been the major legal headache of the past week? Data protection. No matter how many pills you take, the pain will not go away.
That is because there is no legal solution yet available. Hanging over lawyers - and all those whose data are sent or stored outside the EU - is the continuing question of legal liability following the ruling of the European Court of Justice in the Schrems case on 6 October 2015. Last week a solution was dangled before our eyes by the European Commission, but does it mean an end to the headache for practising lawyers who have to find a solution today to their data protection problems? I think not.
For those who have not been paying attention, here is a quick summary of where we are. Max Schrems, an Austrian law student, brought a case against the Irish data protection authority complaining that his Facebook data was not secure because it was sent to the US, where (according to the Snowden revelations) it could be accessed by the National Security Agency.
The Court of Justice of the EU upheld his complaint, and the arrangement that was in place up until then under which all data transfers to the US were handled and thought to be secure from liability - the Safe Harbour agreement - was struck down. Temporary relief was granted by the collection of European data protection authorities, the Article 29 working party, which said in effect that they would take no action until the end of January 2016 on those who transfer data without the benefit any longer of Safe Harbour, to give the European Commission time to negotiate a new deal with the US authorities.
The January 2016 deadline came and went, and then last week, a couple of days after the deadline, the European Commission announced triumphantly a new deal. We have gone from Safe Harbour to Privacy Shield. One of the problems with Privacy Shield - over the last few days, it has been picked apart by politicians and experts - is that at present it is made of buttery promises and not iron guarantees, and so it seems that no lawyer can rely on it without fear of it melting in the heat of legal battle.
By way of example, the commission’s press release opened by saying that the commission had approved the political agreement reached, and has mandated the relevant commissioners ‘to prepare the necessary steps to put in place the new arrangement ’. That does not sound to me like a settled legal framework already in operation.
This is what the Article 29 working party has said (it calls itself ‘WP29’). It is worth quoting in full, because it is the safest legal promise around, given that it is issued by the collection of EU data protection authorities, the responsible enforcement authorities: ‘The WP29 calls on the commission to communicate all documents pertaining to the new arrangement by the end of February. The WP29 will then be in position to complete its assessment for all personal data transfers to the US at an extraordinary plenary meeting that will be organised in the coming weeks.
‘After this period, the WP29 will consider whether transfer mechanisms, such as standard contractual clauses and binding corporate rules, can still be used for personal data transfers to the US. In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms.’
What does this mean for lawyers and law firms, in terms of advice given to clients and advice on which they can rely for their own practices’ data protection policies? I take it to mean that, like everyone else, lawyers need to check pretty damn quick with their service providers - they should have checked months ago - that they have switched from Safe Harbour to some other legal basis, such as standard contractual clauses or binding corporate rules.
The European Commission has provided a helpful communication on the alternatives.
The last sentence of the WP29 statement is the most important. I understand it to be saying that, provided your providers have switched accordingly, you are safe, at least until the end of February; after that date, if WP29 is not convinced that the new Privacy Shield is sufficient, even solutions relying on standard contractual clauses may be exposed to further risk.
The importance of this matter is such that it should not be left to each practice to come to its own conclusion (and nor should any reader rely on this article for legal advice). The professional bodies should be advising their member lawyers on what steps they should take in their own practices to be sure that they remain as compliant as it is possible to be with the current transitional arrangements, and then issue new advice when Privacy Shield is agreed by all to be operational and safe (or not, as the case may be).
Doubtless after that Mr Schrems - or someone else - will bring a case. His next steps, taken before the Privacy Shield announcement, promise no end to the litigation.
Jonathan Goldsmith is a consultant and former secretary-general at the Council of Bars and Law Societies of Europe, which represents around a million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs
The Law Society will host the data protection seminar ’Preparing for the new regime’ on the 26th April.