Guten Morgen aus München,
As in many other aspects, this summer seems to be different compared to previous years. While the pandemic brought some less-busy periods for some of us in the spring, there really is no summer slump for privacy pros at this time.
The main share of blame for this rests, of course, with the Court of Justice of the European Union. Shortly before most of us were about to pack our bags for a well-deserved vacation — or staycation — the CJEU’s "Schrems II" ruling triggered an earthquake in the data protection world on both sides of the Atlantic. The shockwaves can still be felt while organizations try to figure out what the ruling actually means in practice.
But make no mistake: The supervisory authorities are puzzling, as well, over the question of what practical impact the CJEU ruling will have. What does it actually mean for their role as supervisory authorities going forward? What about the further use of standard contractual clauses and other mechanisms for international data transfers? And what can realistically be expected from organizations vis-à-vis due diligence of other countries’ legal regimes as required by the court? Not only does the European Data Protection Board statement essentially say, “Give us a moment to think about it,” the reactions of the various German regulators also clearly reveal that there is presumably still some way to go until a common understanding will be reached.
Typical for Germany — which as you know has not only one but 17 different supervisory authorities — the regulators’ responses were rather diverse. While most regulators remained silent and handed the baton to the EDPB or its German equivalent, the Datenschutzkonferenz, some came forward with rather extreme positions. For instance, the Berlin authority — which already made headlines with its strict approach to video-conferencing apps — called on organizations based in Berlin to move any personal data stored on U.S. servers to Europe and to effectively stop transferring personal data to the U.S. Other German regulators were less prescriptive, although none of them followed the “carry on regardless” approach initially taken by other EU regulators or the U.S. Department of Commerce.
The challenges ahead became very clear when the IAPP Munich KnowledgeNet organized a virtual event together with the Bavarian regulator just days after the CJEU handed down its judgement — which, by the way, was the biggest KnowledgeNet event ever held in Germany by the number of attendees. Even the Bavarian DPA — traditionally a rather pragmatic regulator — sees considerably less scope for data transfers, in particular, to the U.S. than was the case before the ruling. My personal takeaway from the session was that even business-friendly regulators currently struggle to find a way forward which works in practice when it comes to data transfers to the U.S. and other third countries.
But the post-"Schrems II" cacophony of German regulators also had another less obvious consequence: It fueled a lengthy debate on whether to centralize the German supervisory authorities. Currently, the German federal structure of supervision is unique in the EU, since every federal state has its own authority — with the DSK aiming to find common ground on specific topics (similar to the role of the former Art. 29 Working Party on an EU level). There seems to be considerable political will to align the German structure with the centralized model of other EU member states. It is hard to predict at the moment where this will end up —and we will hopefully know more by autumn — but such change would definitely have a major impact.
Last but not least, the German courts have not stood idly by, either. In a landmark ruling handed down shortly before the summer break, the German Supreme Court has finally clarified that marketing cookies require prior user opt-in — something which has been heavily debated in Germany for years. Although this ruling did not come by surprise, it contributes to a particularly hectic summer for privacy professionals.
So as I said, this summer is a bit different.
If you want to comment on this post, you need to login.