Following the first analysis of the Schrems-II verdict from the Court of Justice of the European Union, delivered on 16 July 2020, it is time to take a closer look at some of the statements given by the European and American authorities in response to the verdict.
The European Commission, the body responsible for the adequacy decision establishing the Privacy Shield, as well as for the creation of the Standard Contractual Clauses, held a press conference shortly after the verdict was published. V?ra Jourová, Vice-President of the European Commission responsible for Values and Transparency, confirmed the Commission’s position: “When personal data travels abroad from Europe, it must remain safe.” She added that she and her team would continue to work to ensure the continuity of safe data flows, including by modernising the Standard Contractual Clauses (SCCs). The new SCCs, that will also take into account the requirements of the GDPR, will now be “swiftly finalised (…) in consultation with the European Data Protection Board or Data Protection Authorities.”
Commissioner Jourová continued that she is determined to work with her U.S. counterpart, Secretary of Commerce Wilbur Ross, in a constructive way in order to find “solutions that reflect the values we share as democratic societies”.
Her colleague, Commissioner Didier Reynders (Justice), added that he wants “a formal approval to modernise the Standard Contractual Clauses as soon as possible”. As to the future of the Privacy Shield, Reynders mentioned he expects the conversations with the United States to start on Friday (17 July). Once the analysis of the CJEU verdict is completed, the EU will work to develop “a strengthened and durable transfer mechanism”.
The modernisation of the SCCs was long overdue. The current clauses are still based on the old data protection legislation, Directive 95/46/EC, and do not take into account some of the additional protections created by the GDPR. The Commission has been working on the new draft model clauses for some time, but had been reluctant to release them pending the outcome of the Schrems-II case. With the case now decided upon, and the conditions for transfers using SCCs a lot clearer, the Commission will likely be able to finalise the new model clauses within a couple of weeks. We expect the new versions to become available in the early fall.
Data Protection Authorities
The European Data Protection Board discussed the Schrems-II decision during its weekly teleconference on Friday (17 July). A press statement was released after the meeting, but does not yet contain a lot of detail on the way forward. The Board did announce it will take a bit more time to fully understand the intricacies of the judgment, and provide further clarifications at a later date.
Following the Schrems-I decision in 2015, the Article 29 Working Party (the predecessor of the Board) announced a grace period during which no enforcement action would take place on international transfers to the United States, to allow both supervisory authorities and companies to take stock of the existing processing operations, to consider alternative options and to allow the European Commission to start the negotiations that in the end led to the Privacy Shield. A similar approach seems likely this second time around, but will of course have to be confirmed by the Board. In 2015, the announcement of the grace period did not come until 10 days after the verdict.
Individual data protection authorities have released statements about the judgment. The CNIL, among others, only provides a procedural response, stating that it “is currently conducting a precise analysis of the judgment, together with its European counterparts assembled within the European Data Protection Board. This joint work aims at drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States.”.
The German DPAs are especially vocal on their views. The German Federal data protection authority BfDI adds: “The ECJ makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Now, special safeguards have to be taken for the data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which has been declared null and void by the ECJ.” His colleague from Hamburg goes a bit further and declares “Ultimately, however, this will not only affect states which, like the USA, have at least made an effort to give the impression that they are creating adequate structures for data protection. For countries like China, such data protection standards are a long way off. With regard to Brexit, too, the question of permissible data transfer will arise. Hard times are dawning for international data traffic.” In addition, the Hamburg Commissioner considers that “if the invalidity of the Privacy Shield is primarily justified by the excessive intelligence activities in the USA, the same must also apply to the standard contractual clauses. (…) At least with regard to the conclusion of the SCC with the US company in dispute, the ECJ should have come to the same conclusion.” The Berlin DPA goes even a step further. In a press release, she announces that data controllers transferring personal data to the United States, especially those using cloud services, will need to stop doing so henceforth, and ensure the data are stored in the EU or in a country with an adequate level of protection”.
Also various pundits have concluded from the verdict of the Court that it is henceforth almost impossible to rely upon SCCs in relation to data transfers to the U.S., at least where social media and cloud services are concerned.
The European Data Protection Supervisor in his statement welcomed the verdict of the Court, which reaffirms “the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries”. He expects the “United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements” of the Court. As to the SCCs, the Supervisor announces he has already started a review of the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. And he may not be the only supervisory authority undertaking such a review.
As to the United Kingdom, which since 1 February 2020 no longer forms a part of the European Union, the ICO declared it stands “ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected”. The Swiss data protection authority stated that the Switzerland – U.S. Privacy Shield will remain valid for the time being, but that it will examine the judgment and provide comments in due course.
As was to be expected, the U.S. government expressed disappointment with the verdict of the Court. Secretary Ross stated he and his team were still studying the verdict, while announcing at the same time that “the Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. [The Court’s] decision does not relieve participating organizations of their Privacy Shield obligations.” This means that even though the Privacy Shield can no longer be used as a mechanism to transfer personal data from the EU to the U.S., companies that have processed personal data under a Privacy Shield certification so far, will need to continue to do so. This way, the U.S. government likely intends to facilitate a new version of the Privacy Shield to be put in place at some point in the future, while in the meantime ensuring that companies show that their business practices remain privacy friendly, also without the added benefit of easy data transfers.