August has come and gone, and the European institutions are back from their summer break. The coming weeks will likely bring more clarity on the consequences of the Schrems-II decision of the Court of Justice of the European Union at the start of the summer. The European Data Protection Board (EDPB) has announced further guidance on the required “additional appropriate safeguards” is forthcoming, and the European Commission is in the process of finalizing a whole new set of Standard Contractual Clauses (SCCs). The first indications of what is coming were given on Thursday, during a hearing of the European Parliament committee on Civil Liberties, Justice and Home Affairs (LIBE). The LIBE committee heard from Commissioner Didier Reynders (Justice), EDPB Chair Andrea Jelinek as well as from Max Schrems himself. All three commented both on the judgment itself and on the way forward.
Mr. Reynders recognised the Schrems-II ruling is an important political and geopolitical issue, that will not be easy to solve. Conversations with the U.S. on a possible new data transfer framework have commenced, but it is impossible at this stage to provide a clear timeline. Especially the upcoming U.S. elections, as well as the likely need for Congress to be involved in any new agreement, exclude any quick fix. The Commissioner explained that the Commission wants to get it right this time, which also includes a completely new set of model clauses, that will take into account the conditions set by the Court. Mr. Reynders indicated that the draft standard contractual clauses – which will also align the clauses with the GDPR – are likely to be published in the coming weeks as part of a consultation procedure, with the aim to have them adopted by the end of the year. Apart from Controller-to-Controller and Controller-to-Processor clauses, also Processor-to-Processor clauses are expected to be published.
The EDPB Chair explained the Board is fully committed to support the Commission in developing a new, compliant ‘framework’ for EU-U.S. data transfers. What that will look like, is as yet unclear. In the meantime, the Board will provide as much guidance as possible to ensure businesses can continue to transfer personal data from the EU to third countries, not just the U.S. What is clear however, Mrs. Jelinek said, is that in the short run, there is no one-size-fits-all solution that will allow all data transfers to continue as if nothing has happened. Companies will need to take their responsibilities seriously, and start their case-by-case analysis. In the coming weeks and months, the Board will publish building blocks that can serve as further guidance for the required ‘additional appropriate safeguards’. In addition, the existing opinions related to international data transfers (think of the opinions on Binding Corporate Rules [1, 2, 3], the Adequacy referential and the use of the Article 49 Derogations, but also the working document on the European Essential Guarantees), will be updated to reflect the Schrems-II decision.
Mr. Schrems very quickly made clear he does not believe a solution to the EU-U.S. data transfer challenges could be found in another executive agreement. This has been tried twice, and both times the Court of Justice has made clear the agreements offered insufficient safeguards to protect our fundamental rights. This means there are two options: change how the European Union looks at fundamental rights, or change the U.S. surveillance laws interfering with those fundamental rights. Giving up our fundamental rights for most in Europe would be a no-go, meaning that the only remaining option is to talk to the U.S. about their government surveillance programs, how hard that may prove to be. Furthermore, Mr. Schrems expressed concerns that U.S. industry actors do not seem to be taking the CJEU ruling seriously. From industry calls he attended, he got the impression many companies are not expecting strict enforcement of the transfer modalities by DPAs and therefore are not committed to update their SCCs with additional safeguards.
During the question round with the members of the European Parliament, a lot of disappointment was expressed on the inactivity of the European data protection authorities. The GDPR has been in force for almost 2,5 years, but the enforcement of the rules is falling behind. As one MEP put it, it is thanks to diligent citizens like Mr. Schrems, who are willing to court over and over again, that there is still some protection of the fundamental right to data protection. Mr. Schrems added to this, that he has received indications from the Irish Data Protection Commission that, despite the clear conclusion of the Court that DPAs have a duty to enforce the GDPR, a decision in his case is not expected imminently.
Members of the Parliament furthermore called for improved legal certainty, especially for small and medium enterprises, more guidance and international agreements to solve these challenges, both on common privacy standards and on no spying between allies. An open question, that the European Commission will need to take up with their U.S. negotiating partners, is to what extent FISA 702 also covers the EU entities and data centres of U.S. companies, since that can further complicate any future deal.
The recording of the LIBE committee meeting is available on the website of the European Parliament. All of TrustArc’s guidance on the consequences of the Schrems-II decision, is available on our Privacy Shield microsite.