The Schrems II decision: a milestone for privacy?

On July 16th, the Court of Justice of the European Union (CJEU), ruled on a case brought up by data privacy activist Max Schrems. The CJEU’s decision produced an unexpected result. Privacy Shield, which governs EU-US data transfers and is used by approximately 5,000 companies, is invalid. The Standard Contractual Clauses (SCCs), the tool most commonly utilized for transfers around the globe (including to the US), will now be subject to much closer case-by-case  scrutiny to ensure they provide an EU level of data protection.

The implications of this decision are hard to foresee. In a similar decision in 2015, the CJEU already ruled the predecessor of the Privacy Shield agreement, then called “Safe Harbor”, invalid. This year’s decision shows that the EU takes privacy seriously – but companies will have to adapt. What are the consequences from this decision and what does the industry think? We collected some opinions from around the world.

Bridget Treacy and David Dumont, Data Privacy Partners at Hunton Andrews Kurth, a global US law firm:

“The significance of the judgment cannot be understated. It raises serious concerns for EU businesses as to whether, and if so how, they can continue to send personal data abroad to the US, and to other countries around the globe. Given the potentially significant consequences of the judgment for international trade, the business community anticipated meaningful guidance from Europe’s data protection regulators as to how they should interpret the judgment, and where the potential solutions lie. The European data protection Supervisory Authorities, together comprising the European Data Protection Board (EDPB), have today published Q&As on the Schrems judgment. Unfortunately, the EDPB’s Q&A document offers little in the way of concrete, practical guidance, illustrating just how challenging this issue is.

The EDPB reminds EU businesses that they must understand their chain of processing and be clear about where their data are processed, and whether the laws of the relevant country ensure an EU standard of data protection. If not, they must re-negotiate their contracts to forbid transfers to those countries.  As matters stand, it is by no means clear how affected businesses can navigate these challenges, yet they cannot stand back and do nothing. A risk based approach will be required. This ruling is likely to encourage data localization, with some already calling for EU data to be processed in the EU. There is also a possibility that the legal framework in certain countries will be regarded as too risky to accommodate EU personal data, with potentially serious repercussions for global commerce.”

Peter Swire, former White House data privacy negotiator with the European Union:

“The CJEU now requires each national data protection authority “to suspend or prohibit a transfer of personal data to a third country,” such as the U.S. or China,  to prevent transfers to a country whose government can gain access to personal data under protections that are less than essentially equivalent to those under E.U. law. On SCCs, the court appears to put E.U. trade at risk with other third countries such as China and Russia, which also don’t have a judge examining each part of national security surveillance.

On remand to Ireland, the next cases for the Irish authority should include assessments of adequate protection in other third countries.  Those countries systematically lack safeguards against surveillance, in contrast to the U.S., which adopted numerous privacy safeguards after the Snowden revelations and now has more legal protections concerning surveillance than most or all of the E.U. member states.

To clarify whether essential equivalence exists, the Commission or other E.U.-wide body should assess the actual safeguards against surveillance in the member states as well as the U.S. and other third countries such as China and Russia. If the E.U. doesn’t assess third country law, national data protection authorities are in a weak position to make decisions about which third countries lack essential equivalence to the E.U.  legal standards.  The DPAs typically have no access to national security expertise at the top-secret level and lack the resources to assess third country legal systems in a fair and comprehensive way. Therefore, the E.U., faced with possible cutoffs to numerous third countries, needs to provide some Europe-wide mechanism to have an informed process about third country surveillance regimes. If you take a step back, it is extraordinary to think that the individual in one country has a right to have a judge in a different country examine all of the surveillance relevant to that individual. That is contrary to how intelligence actions have worked since the dawn of time.”

Arved Graf von Stackelberg, Managing Director of cybersecurity company DRACOON:

“In any case, the decision from Luxembourg is to be welcomed, as the issue of data sovereignty is playing an increasingly important role, especially in times of advancing digitisation. Like the CLOUD Act, which explicitly allows the release of personal data of EU citizens to US authorities if they use American services, the Privacy Shield put users at a disadvantage when it comes to data protection. As is well known, the CLOUD Act and the EU-DSGVO are in conflict with each other and now the Privacy Shield has also been stripped of its legal basis.

The awareness of companies and individual users of the importance of data sovereignty is increasing more and more and data protection has long since ceased to be an issue that is ignored and underestimated. Companies and users, on the other hand, clearly demand that right and it often plays a role in the decision to use certain services or to purchase company software. It is gratifying that the EU is clearly standing up for usage rights and the sovereignty of European citizens in the exchange of information. Another positive development is that US corporations now also recognise this desire for transparency and control – on both the corporate and private side. It is equally gratifying that they are cooperating with German and European cloud providers to enable users to store and exchange data in compliance with the DSGVO despite the current CLOUD Act. All in all, such cooperations and clear verdicts such as the one against the Privacy Shield can make a lasting contribution to ensuring that Europe is and remains a safe place to protect the privacy of individuals and secure commercial data exchange.”