News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Reports and Surveys

Access all reports and surveys published by the IAPP.
Resource Articles

The IAPP publishes longform, web-based resource articles to provide in-depth analysis on relevant topics in the privacy space.
White Papers

Access all white papers published by the IAPP.
Infographics

Access all infographics published by the IAPP.
Podcasts

The Privacy Advisor Podcast provides interviews with the privacy world's most interesting voices.
Videos

The IAPP's video library provides insights, reactions and opinions on a range of topics, including regulatory developments, areas of privacy operations management and more.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
Privacy 101

On this page, you’ll find articles and tools to help you get a basic understanding of the job of the privacy pro and data protection laws and practices around the globe.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | 'Schrems II' backs the European legal regime into a corner — How can it get out? Related reading: GDPR Genius

rss_feed

""

Writing for the IAPP this summer, in honor of the second anniversary of the EU General Data Protection Regulation, I said that “European law, to assure protection of personal data when sent to third countries, may have backed itself into a corner.” Today’s so-called "Schrems II" decision provides the EU with even less room to maneuver. Especially for transfers of personal data to authoritarian countries, such as China and Russia, it is now difficult to see a lawful basis for many routine data flows.

As IAPP readers likely know by now, the Court of Justice for the European Union today struck down the EU-U.S. Privacy Shield, much as it did the EU-U.S. Safe Harbor in "Schrems I" in 2015, citing a lack of individual redress and lack of proportionality. 

For the standard contractual clauses specifically challenged by Max Schrems in Ireland, the court allowed them to stand as a general matter.  The controller in the EU, however, must now assess in each case the level of protection afforded by the SCCs and also protections “as regards any access by the public authorities of that third country to the personal data transferred (and) the relevant aspects of the legal system of that third country.”  

These company-by-company assessments must be overseen by the data protection authorities: “the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.”  If supervisory authorities disagree about transfers, the European Data Protection Board is assigned to resolve disputes; in the event of such disputes, it would be important for the EDPB to have access to the best possible information on how to assess national security and other laws about government access to data in countries outside of the EU.

The CJEU highlighted two aspects of U.S. intelligence law as lacking adequate safeguards. One flaw, according to the court, is the lack of individual redress — an EU person such as Max Schrems does not have access to the courts in the U.S. to review what the National Security Agency may do with his data. For national security experts, it is puzzling in the extreme to think that citizens of one country have a right to review their intelligence files from other countries. Also, the Fundamental Rights Agency has documented the limited individual redress existing in EU member states, including: “In four Member States [out of 27], an expert body’s decision or preliminary assessment can be appealed before a judge.” Although the CJEU avoided comparing member state law or practice with the U.S., it can seem discriminatory to judge third countries by a legal standard that does not apply to the member states.

The second flaw, according to the court, is the lack of proportionality in U.S. intelligence activities, essentially the concern that the U.S. does broader collections, with less clear legal standards, than the court finds adequate. The court leaves a bit of room for national security surveillance, allowing that which is strictly “necessary in a democratic society to safeguard, inter alia, national security, defence and public security.” 

The CJEU, however, declined to address the nuanced jurisprudence, as explained by Professor Théodore Christakis, by the European Court of Human Rights on how to reconcile fundamental rights with national security. As someone who has worked extensively both in privacy and national security, my own view is that the CJEU provides very little room for effective protection against military action, such as the Russian invasion of Crimea in 2014, or the risk of future aggressive action against the Baltic States. As fellow members of the North Atlantic Treaty Organization, the U.S. and many member states have a shared interest in countering threats, including terrorism and nation-state attacks. Better to build layers of safeguards onto needed intelligence activities, such as the broad 2015 reforms in the U.S., than to block those activities.

Going forward, U.S. Secretary of Commerce Wilbur Ross and the EU Commission have indicated a willingness to work together in the wake of today’s decision. If the two sides can reach a new agreement about what constitutes adequacy, then the court’s decision states that the finding of adequacy will ensure the lawfulness of transfers to the U.S. unless some future court decision holds otherwise. I hope and believe innovative approaches are possible to pursue such an agreement.

The court’s decision leaves even less room for transferring personal data from the EU to China and other authoritarian countries. 

Our research shows much larger flows to China than many have realized, with annual exports of 200 billion euros, including via TikTok, Alibaba and TenCent. Wojciech Wiewiórowski, the European Data Protection Supervisor, recently commented to Politico that the U.S. is “much closer” to the EU than China in terms of shared values. He added, “I have never hidden that we have a preference for data being processed by entities sharing European values.” The EU and U.S. have a shared tradition of fundamental rights protections and the rule of law, so it is difficult to see how many of the transfers to third countries lacking those protections will be lawful after the court’s decision.

In conclusion, the EU faces the legal challenge I addressed previously for the IAPP — how can global data flows continue, including with the EU’s largest trading partners and closest allies? The court’s legal doctrine appears to back the EU into a corner. Next, how will it get out, protecting both privacy and the other values necessary in a democratic society?

Photo by Christian Wiediger on Unsplash

Infographic: The impact of the CJEU’s decision on 'Schrems II'

The IAPP created an infographic outlining the decision by the Court of Justice of the European Union, declaring the EU-U.S. Privacy Shield arrangement is invalid.

View Here

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View Here


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Peter Swire, CIPP/US IAPP Member Contributor
Tags
Government
Europe
U.S.
Big Data
Enforcement
Privacy Law
Privacy Opinion
Transborder Data Flow
5 Comments

If you want to comment on this post, you need to login.

  • comment Andreea Lisievici • Jul 17, 2020 
    I highly disagree. This decision puts the US surveillance system (and similar others) into a corner, not EU law. It also puts the EU Commission in the shameful position of having to admit to being too political instead of doing their job of enforcing the EU fundamental rights to privacy and data protection. Yes, transfers of data become questionable. But without this the very level of protection afforded to personal data in the EU becomes questionable. Due to precisely choosing to uphold this high level of protection it means the decision did not put EU law in a corner, it put it in the spotlight.
  • comment David Bender • Jul 17, 2020 
    One thing this decision does (as did the 2015 Safe Harbor decision) is to highlight this court's fascination with US surveillance law, while keeping hands-off of Member State surveillance law, even as a yardstick against which to measure propriety.  While EU law does not extend to Member State security, it is nevertheless inappropriate for the ECJ to judge US surveillance on some absolute scale, while ignoring that study after study has shown US surveillance law to be more privacy-sensitive than the surveillance law of most EU Member States.  
     As Professor Swire suggests, the European Court of Human Rights has handled numerous cases where data protection had to be balanced against security, and not infrequently data protection has come out on the short end.  In the ECJ, when data protection is balanced against some other important value, data protection almost always wins.  Yes, data protection is an important value; so is national security.  The Charter of Fundamental Rights that the ECJ is charged with enforcing, and the European Convention on Human Rights that the ECtHR is charged with enforcing, both require data protection -- and they both also require proportionality.  But the ECtHR takes the proportionality mandate seriously, whereas the ECJ merely pays it lip service.
  • comment Emma Butler • Jul 20, 2020 
    I completely agree with David Bender's comment. The EU has long been hypocritical as regards surveillance in expecting third countries to meet standards it can't meet itself. This blatant anti-Americanism has to stop, it's shameful. Also, the FISA means US Govt can access data held by US companies regardless of where in the world it is stored, so the judgement changes nothing. All govts can access data, this is not unique to the US. Data protection law in the EU is at risk of a backlash with decisions like this. Is it reasonable to ask companies to carry out detailed diligence on the govt access and redress scheme in every country where there is a company they want to sign SCCs with? The kind of diligence that it takes the Commission's expert teams years to do to assess adequacy. We have forgotten the individual. How does any of this improve things for them?
  • comment Luc Aelen • Jul 21, 2020 
    Peter Swire provides a very balanced analysis. We don't live in a perfect world. All countries have agencies that collect intelligence for national security purposes. Data importers will always need to comply with requests of the competent authorities in the country where they are established to provide such information if these requests are in line with national laws. 

Between countries that are political allies you would expect that a program like the Privacy Shield provides an acceptable compromise between data protection and national security interests. If the EU no longer thinks so, they must negotiate a better deal with the US. However, the EU can’t expect that the US will give complete priority to complying with (EU) data protection principles at the detriment of their national security interests. 

In its decision the ECJ also says that data exporters can only use Standard Contractual Clauses once the country where the importer is established provides a comparable level of data protection as the EU. Exactly that type of review is something for the EU Commission to conduct – it is unreasonable to shift that responsibility to private companies.
  • comment ZhuoHong Liu • Aug 14, 2020 
    I agree with Andreea that "the decision did not put EU law in a corner, it put it in the spotlight". It is a light leading us to think what basic bar should be established on this international platform to facilitate the data flows.
Related Stories
GDPR Genius
This interactive tool provides IAPP members ready access to critical GDPR resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location....
Read More
Why U.S. Surveillance Law Protections Are Better Than Europe Thinks
2
When the European Court of Justice and its Advocate General found the Safe Harbor unlawful in October, a major reason was their concern about the U.S. surveillance system. This week the Belgian Privacy Authority hosted a forum on the Schrems Safe Harbor case, and I was asked to comment on two questi...
Read More
A proposal to help resolve federal privacy preemption
1
There are signs that U.S. Congress is getting closer to a bipartisan approach to federal privacy legislation. In the Senate Committee on Commerce, Science, and Transportation, draft bills by Sens. Chairman Roger Wicker, R-Miss., and Ranking Member Maria Cantwell, D-Wash., contain important similarit...
Read More

Infographic: The impact of the CJEU’s decision on 'Schrems II'

The IAPP created an infographic outlining the decision by the Court of Justice of the European Union, declaring the EU-U.S. Privacy Shield arrangement is invalid.

View Here

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View Here

Related Stories
Tags
Government
Europe
U.S.
Big Data
Enforcement
Privacy Law
Privacy Opinion
Transborder Data Flow
Recent Comments