Little will happen until and unless the European Data Protection Authorities begin to enforce Schrems II
One year after the so-called Schrems II decision was made by the European Court of Justice (CJEU), little has changed. Because of Schrems II, EU-U.S. data transfers are illegal, but they are continuing as if nothing has happened. Participants should note, however, that privacy activist Max Schrems is watching; and he is not known for giving up where he has the law on his side.
In a statement published Jul 16, 2021 on the My Privacy is None of Your Business (NOYB) website, Schrems bemoans the lack of progress. “Over the last year, it seems that the relevant stakeholders have mainly engaged in deflection and finger pointing, each passing on responsibility to the next.”
The basic problem is that business-essential data transfers are caught between a rock and hard place: EU law on the one hand, and U.S. surveillance on the other. Neither side currently seems willing to shift, but they are mutually exclusive. One solution could be for the companies concerned to host European data on servers within Europe, but only ‘a fraction’ have moved towards doing so.
Schrems II is the outcome of the European Court’s ruling over a case involving Ireland’s Data Protection Commissioner, Facebook, and Max Schrems. This invalidated the EU-U.S. Privacy Shield (which had replaced the earlier Safe Harbor mechanism which had itself been invalidated largely through the actions of Schrems).
But Schrems II also casts doubt on the validity of Standard Contractual Clauses (SCCs) as used by Facebook and others. Schrems argued that the transfer of Facebook data to its headquarters in the U.S. would make European personal data available to the surveillance of U.S. intelligence agencies. This, claimed Schrems, would be in violation of GDPR and EU law in general. The court agreed.
Technically, SCCs are still valid but with provisions. Ultimately, the U.S. party would need to guarantee the data against U.S. intelligence agency surveillance – but since this is not possible, the SCC fails.
It is a difficult problem to solve – so difficult that Schrems believes the primary route taken by both sides is to ignore the issue, claim it is unrealistic, and concoct “increasingly crude legal theories”. These range, says Schrems, “from the existence of a ‘risk-based approach’ (which is not present in the relevant part of the GDPR) to the suggestion of non-functional ‘supplementary measures’ (like having fences around data centers).”
Companies are saying that the regulations are too complex to implement, while, says Schrems, “The European Commission is muddying the waters by issuing new transfer tools, like ‘Standard Contractual Clauses’, that carefully bypass a clear say on EU-US transfers and allow industry lawyers to keep spinning new compliance theories and avoid long-term solutions.“ The European Data Protection Authorities are adopting a wait and watch position, while the U.S. authorities regularly announce ‘progress’ in negotiations with little or no appetite to change the root problem of U.S. intelligence agency surveillance.
Schrems seems to be on safe ground with his opinions. Recommendations issued by the European Data Protection Board (EDPB) on June 18, 2021 state, “The CJEU held that Section 702 of the U.S. FISA does not respect the minimum safeguards resulting from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary. This means that the level of protection of the programs authorized by Section 702 FISA is not essentially equivalent to the safeguards required under EU law.”
For any company that feels its data transfer may fall within the scope of Section 702 FISA, the EDPB’s first recommendation is, “To stop the transfer.”
Nothing much is likely to happen until and unless the European Data Protection Authorities begin to enforce Schrems II. This is unlikely to happen in the immediate future.
But Schrems has proven himself to be an essentially reasonable, but patient and persistent privacy activist. “In my personal view,” he says, “a long-term solution can only be some form of ‘no spy’ agreement among democratic nations that protects users’ human right to privacy independent of location and citizenship. We may not get there within a matter of months, but potentially within a decade, as a global internet needs global protections to function as users and companies wish for it to.”
Related: Austria’s Max Schrems: US High-tech Giants’ Worst Nightmare?
Related: EU Court Deals Blow to ‘Invalid’ US Data Sharing Deal
Related: Top Court Scraps EU-US Data Pact in New Blow to Brussels
Related: Ireland Rejects Facebook Bid to Block Regulatory Data Probe