TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | 'Schrems II' backs the European legal regime into a corner — How can it get out? Related reading: GDPR Genius


Writing for the IAPP this summer, in honor of the second anniversary of the EU General Data Protection Regulation, I said that “European law, to assure protection of personal data when sent to third countries, may have backed itself into a corner.” Today’s so-called "Schrems II" decision provides the EU with even less room to maneuver. Especially for transfers of personal data to authoritarian countries, such as China and Russia, it is now difficult to see a lawful basis for many routine data flows.

As IAPP readers likely know by now, the Court of Justice for the European Union today struck down the EU-U.S. Privacy Shield, much as it did the EU-U.S. Safe Harbor in "Schrems I" in 2015, citing a lack of individual redress and lack of proportionality. 

For the standard contractual clauses specifically challenged by Max Schrems in Ireland, the court allowed them to stand as a general matter.  The controller in the EU, however, must now assess in each case the level of protection afforded by the SCCs and also protections “as regards any access by the public authorities of that third country to the personal data transferred (and) the relevant aspects of the legal system of that third country.”  

These company-by-company assessments must be overseen by the data protection authorities: “the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.”  If supervisory authorities disagree about transfers, the European Data Protection Board is assigned to resolve disputes; in the event of such disputes, it would be important for the EDPB to have access to the best possible information on how to assess national security and other laws about government access to data in countries outside of the EU.

The CJEU highlighted two aspects of U.S. intelligence law as lacking adequate safeguards. One flaw, according to the court, is the lack of individual redress — an EU person such as Max Schrems does not have access to the courts in the U.S. to review what the National Security Agency may do with his data. For national security experts, it is puzzling in the extreme to think that citizens of one country have a right to review their intelligence files from other countries. Also, the Fundamental Rights Agency has documented the limited individual redress existing in EU member states, including: “In four Member States [out of 27], an expert body’s decision or preliminary assessment can be appealed before a judge.” Although the CJEU avoided comparing member state law or practice with the U.S., it can seem discriminatory to judge third countries by a legal standard that does not apply to the member states.

The second flaw, according to the court, is the lack of proportionality in U.S. intelligence activities, essentially the concern that the U.S. does broader collections, with less clear legal standards, than the court finds adequate. The court leaves a bit of room for national security surveillance, allowing that which is strictly “necessary in a democratic society to safeguard, inter alia, national security, defence and public security.” 

The CJEU, however, declined to address the nuanced jurisprudence, as explained by Professor Théodore Christakis, by the European Court of Human Rights on how to reconcile fundamental rights with national security. As someone who has worked extensively both in privacy and national security, my own view is that the CJEU provides very little room for effective protection against military action, such as the Russian invasion of Crimea in 2014, or the risk of future aggressive action against the Baltic States. As fellow members of the North Atlantic Treaty Organization, the U.S. and many member states have a shared interest in countering threats, including terrorism and nation-state attacks. Better to build layers of safeguards onto needed intelligence activities, such as the broad 2015 reforms in the U.S., than to block those activities.

Going forward, U.S. Secretary of Commerce Wilbur Ross and the EU Commission have indicated a willingness to work together in the wake of today’s decision. If the two sides can reach a new agreement about what constitutes adequacy, then the court’s decision states that the finding of adequacy will ensure the lawfulness of transfers to the U.S. unless some future court decision holds otherwise. I hope and believe innovative approaches are possible to pursue such an agreement.

The court’s decision leaves even less room for transferring personal data from the EU to China and other authoritarian countries. 

Our research shows much larger flows to China than many have realized, with annual exports of 200 billion euros, including via TikTok, Alibaba and TenCent. Wojciech Wiewiórowski, the European Data Protection Supervisor, recently commented to Politico that the U.S. is “much closer” to the EU than China in terms of shared values. He added, “I have never hidden that we have a preference for data being processed by entities sharing European values.” The EU and U.S. have a shared tradition of fundamental rights protections and the rule of law, so it is difficult to see how many of the transfers to third countries lacking those protections will be lawful after the court’s decision.

In conclusion, the EU faces the legal challenge I addressed previously for the IAPP — how can global data flows continue, including with the EU’s largest trading partners and closest allies? The court’s legal doctrine appears to back the EU into a corner. Next, how will it get out, protecting both privacy and the other values necessary in a democratic society?

Photo by Christian Wiediger on Unsplash

Infographic: The impact of the CJEU’s decision on 'Schrems II'

The IAPP created an infographic outlining the decision by the Court of Justice of the European Union, declaring the EU-U.S. Privacy Shield arrangement is invalid.

View Here

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View Here

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.

  • comment Andreea Lisievici • Jul 17, 2020
    I highly disagree. This decision puts the US surveillance system (and similar others) into a corner, not EU law. It also puts the EU Commission in the shameful position of having to admit to being too political instead of doing their job of enforcing the EU fundamental rights to privacy and data protection. Yes, transfers of data become questionable. But without this the very level of protection afforded to personal data in the EU becomes questionable. Due to precisely choosing to uphold this high level of protection it means the decision did not put EU law in a corner, it put it in the spotlight.
  • comment David Bender • Jul 17, 2020
    One thing this decision does (as did the 2015 Safe Harbor decision) is to highlight this court's fascination with US surveillance law, while keeping hands-off of Member State surveillance law, even as a yardstick against which to measure propriety.  While EU law does not extend to Member State security, it is nevertheless inappropriate for the ECJ to judge US surveillance on some absolute scale, while ignoring that study after study has shown US surveillance law to be more privacy-sensitive than the surveillance law of most EU Member States.  
         As Professor Swire suggests, the European Court of Human Rights has handled numerous cases where data protection had to be balanced against security, and not infrequently data protection has come out on the short end.  In the ECJ, when data protection is balanced against some other important value, data protection almost always wins.  Yes, data protection is an important value; so is national security.  The Charter of Fundamental Rights that the ECJ is charged with enforcing, and the European Convention on Human Rights that the ECtHR is charged with enforcing, both require data protection -- and they both also require proportionality.  But the ECtHR takes the proportionality mandate seriously, whereas the ECJ merely pays it lip service.
  • comment Emma Butler • Jul 20, 2020
    I completely agree with David Bender's comment. The EU has long been hypocritical as regards surveillance in expecting third countries to meet standards it can't meet itself. This blatant anti-Americanism has to stop, it's shameful. Also, the FISA means US Govt can access data held by US companies regardless of where in the world it is stored, so the judgement changes nothing. All govts can access data, this is not unique to the US. Data protection law in the EU is at risk of a backlash with decisions like this. Is it reasonable to ask companies to carry out detailed diligence on the govt access and redress scheme in every country where there is a company they want to sign SCCs with? The kind of diligence that it takes the Commission's expert teams years to do to assess adequacy. We have forgotten the individual. How does any of this improve things for them?
  • comment Luc Aelen • Jul 21, 2020
    Peter Swire provides a very balanced analysis. We don't live in a perfect world. All countries have agencies that collect intelligence for national security purposes. Data importers will always need to comply with requests of the competent authorities in the country where they are established to provide such information if these requests are in line with national laws. 
    Between countries that are political allies you would expect that a program like the Privacy Shield provides an acceptable compromise between data protection and national security interests. If the EU no longer thinks so, they must negotiate a better deal with the US. However, the EU can’t expect that the US will give complete priority to complying with (EU) data protection principles at the detriment of their national security interests. 
    In its decision the ECJ also says that data exporters can only use Standard Contractual Clauses once the country where the importer is established provides a comparable level of data protection as the EU. Exactly that type of review is something for the EU Commission to conduct – it is unreasonable to shift that responsibility to private companies.
  • comment ZhuoHong Liu • Aug 14, 2020
    I agree with Andreea that "the decision did not put EU law in a corner, it put it in the spotlight". It is a light leading us to think what basic bar should be established on this international platform to facilitate the data flows.