Privacy professionals are now operating in a different world following the Court of Justice of the European Union's ruling in the "Schrems II" case.
The EU-U.S. Privacy Shield agreement is now invalid. The CJEU upheld standard contractual clauses; however, third countries must have the proper protections in place when EU data is transferred.
The decision has massive ramifications for international data transfers. The privacy industry now has to both analyze just what exactly the CJEU decided and the next steps to function in a post-"Schrems II" world.
NOYB Founder Max Schrems looks at the decision as a victory.
Schrems said the CJEU's ruling essentially addressed all of the concerns NOYB cited in the case and that the CJEU has now told data protection authorities to become more proactive, calling it one of the most important developments to come from the court.
"We especially tried to connect that from a strategic point of view with Article 4 (of the SCCs decision). Basically, we made a chain that the SCCs can be valid if Article 4 is the solution, but that only works if the DPA has a duty to take action," Schrems said during an IAPP LinkedIn Live session. "These chains you try to build in a case like that, they all work pretty well. It’s like preparing fireworks, and they all go off in the right order."
For Schrems, the CJEU's ruling was a case of history repeating itself. Nearly five years ago, in the "Schrems I" case, the CJEU determined the Safe Harbor agreement was invalid. Schrems said one of the main messages from the court's judgment was that it reiterated what it brought down in the first ruling.
Privacy Shield may be invalid, but SCCs managed to live another day. But because SCCs were not struck down does not mean they stand on firm footing.
Hogan Lovells Partner Eduardo Ustaran, CIPP/E, said the validity of SCCs as a data transfer mechanism is perhaps the most important result to come out of "Schrems II." Ustaran said the CJEU's decision aligned with CJEU Advocate General Henrik Saugmandsgaard's opinion on SCCs: They are a lawful measure to legitimize data transfers.
Ustaran said it's important to note that while the court said SCCs work in principle, they also have to work in practice.
"For a mechanism to work in practice, one has to assess effectively if they can comply with the obligations in the clauses. The reality is the (SCCs) were almost too good to be true in the sense that it was a very easy-to-use mechanism," Ustaran said. "You can just search for it, print it, sign it, put it in the drawer and forget about it. What the court is reminding us is that this a mechanism that creates legal obligations, and if the parties can not comply with those obligations, the mechanism doesn’t work, and therefore the data transfers are not valid."
The CJEU's stance on SCCs will give privacy professionals plenty of work in the days and months ahead as they now have to analyze each use of SCCs on a case-by-case basis.
When seeking to use SCCs going forward, Ustaran advises privacy professionals to read over them very carefully to understand the agreements they are about to make and the strict obligations they must adhere to, particularly the ones data importers have to place on subcontractors, which are particularly strict.
Privacy professionals would also benefit from understanding the scope of their data transfers and to ask plenty of questions.
"When you identify a conflict, it’s a conflict that cannot be resolved contractually because, as the court was saying, the government of the recipient of the data is not subject to the contract," Ustaran said. "The way to resolve that conflict is to ensure that you assess that requirement in the law. If there is a demand for data, you look at that request and question it. What’s the scope? What’s the format? What are the powers of this authority that is asking for the data? Can I object to it? Those are elements that could be contractually agreed on between the parties."
One of the many questions going forward is simple: What can be done to avoid a "Schrems III?"
The answer would likely have to be legislative reform, Ustaran said. The U.S. could pass a privacy law to mirror the EU General Data Protection Regulation, but that could take time, if it were to materialize at all.
Rather than a federal privacy law, Schrems said the U.S. should focus on surveillance reform, as the differences between U.S. and EU laws are simply incompatible where each side currently stands.
"I think fundamentally what we have to understand is whether the EU changes the Charter of Fundamental Human Rights or the U.S. changes (Section) 702, there will not be a possibility to come up with a new deal. I hope that a lot of people in the U.S. industry will realize that and put some pressure on the U.S. government to change 702 in some way."