There hasn't been much movement on the future of EU-U.S. data transfers nearly two months after the Court of Justice of the European Union rendered its decision to invalidate the EU-U.S. Privacy Shield program. But that may change following a meeting of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs Thursday in Brussels.
The LIBE Committee welcomed European Commissioner for Justice Didier Reynders, European Data Protection Board Chair Andrea Jelinek and NOYB Founder Max Schrems to participate with members of the European Parliament in an exchange of views on the CJEU's decision. In their opening statements to MEPs, Reynders and Jelinek both acknowledged the commission and EDPB, respectively, stand ready to comply with the decision to invalidate Privacy Shield, while Reynders indicated a willingness to explore a new EU-U.S. framework that abides by the decision.
"On both sides, we want to find ways to address the issues raised by the court," Reynders said of discussions with U.S. officials. "We will intensify our engagement with the U.S. in the coming weeks, but we have to recognize the judgment raised complex issues related to the sensitive area of national security. Therefore, there will be no quick fix. We need sustainable solutions that deliver legal certainty."
With Privacy Shield nixed and continued uncertainty surrounding an alternative framework, the discussion has turned to what transfer mechanisms are still viable. The CJEU made clear that standard contractual clauses remain an effective tool, provided there are added protections. Reynders said those protections will be addressed and added to the modernization of SCCs laid out by the commission in June's two-year review of the EU General Data Protection Regulation.
"Finalizing our work on SCCs is a top priority," Reynders said, noting the particular importance of SCCs to small- and medium-sized enterprises. "We intend to launch an adoption process for the new clauses in the coming months and hope to finalize it by the end of this year."
Jelinek discussed the EDPB's ongoing efforts to support stakeholders affected by the CJEU ruling, including the statement and FAQ already published. The EDPB is in the process of devising more resources, Jelinek said, which will include "recommendations to assist in identifying and implementing proper supplementary measures."
Jelinek also emphasized the validation of SCCs but maintained that any transfer mechanism used for third-country data flows is still required to meet the standard of essential equivalence. She also addressed the EDPB's hard stance on the use of Article 49 derogations to facilitate transfers.
"They must be treated as what they are: derogations," Jelinek said. "The EDPB has already clarified through its guidelines that Article 49 derogations can only be the exception, not the rule. Therefore, Article 49 derogations must be applied on a case-by-case basis and only when the special conditions foreseen for them can be met."
Schrems, who filed the initial complaint resulting in the CJEU's decision to invalidate the Privacy Shield, put a great deal of focus on adequacy between the EU and U.S. legal regimes, noting the "clash" between EU fundamental rights and U.S. surveillance laws, including the Foreign Intelligence Surveillance Act.
"We really have to now find a solution that's stable and works for the long term. It can't just be a privacy umbrella or a 'Safe Harbor III' that will go down the drain the same way," Schrems said. "There is no room for another treaty or something to overcome the problem. Sometimes I say it's like basically two trains colliding and then you add a third train, but that will be smashed, as well. There's just no room for an executive agreement when you have these different obligations on a legislative level."
Schrems added that he has spoken with U.S. companies since the CJEU ruling that indicated they intend to ignore it and continue to transfer data under the assumption that EU data protection authorities will not bring action against them.
Once MEPs were given the floor, the common refrain was how the CJEU ruling reflected the shortcomings of the commission and DPAs to uphold the privacy rights of EU citizens.
Dutch MEP Paul Tang said the credibility of the commission is at stake with how it proceeds in handling the transfer dilemma. German MEP Moritz Körner indicated Parliament won't change its Charter of Fundamental Rights and characterized Thursday's discussion as "useless" if there's an unwillingness to seek a new solution that won't end up as Safe Harbor and Privacy Shield did.
Dutch MEP Sophie in 't Veld was blunt with her assessment, as well, opining that Schrems has done more to fight for EU privacy than the commission or DPAs in the wake of the CJEU's two rulings invalidating transfer mechanisms in the last five years.
"They cannot fail a third time," in 't Veld said. "I'm glad to hear (Reynders) say he's going to work very closely with the DPAs, but I hope this time the commission will actually listen. Every single time the EDPB, EDPS or Parliament said something, they were right. We have to get it right this time. There has to be a legal solution, of course, but there needs to be a geopolitical solution.
"I expect not just the commission to come up with a watertight solution, but for the DPAs to finally do their duty. It is not the task of companies, and I do not want my rights as a citizen to depend on the will of a company or their ability to assess American secret services."
If you want to comment on this post, you need to login.