On 3 September 2020, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the LIBE Committee) held a debate with the EU Commission, the European Data Protection Board and Max Schrems himself to discuss the impact of the Court of Justice of the European Union judgment in the Schrems 2 case and listen to what key steps these stakeholders are taking in this regard.
- There is no quick fix and no one-size-fits-all solution: companies themselves will need to evaluate their data transfer situations on a case-by-case basis.
- The European Commission intends to come up with a set of new Standard Contract Clauses by the end of this year.
- Justice Commissioner Didier Reynders claims that changes to US law may be necessary in order to get out of the impasse.
- The European Data Protection Board aims to issue additional guidance on the “supplementary measures” on top of Standard Contract Clauses that companies can take to transfer personal data safely.
The EU Commission – a work agenda with three main action items
EU Justice Commissioner Reynders outlined the following three main areas of work the EU Commission will be focusing on in the upcoming months:
1. Adopting new and modernized Standard Contractual Clauses
- Work in this regard has already been ongoing for some months now. It is expected to publish a first draft of the new SCCs by the end of September and adopt the final version by the end of 2020.
- The key improvements of the SCCs will concern: a) aligning them with the GDPR (specifying the transparency obligations, data subject rights and the relationship between a controller and processor); b) addressing new data transfer scenarios not addressed by the Schrems 2 judgment; c) catering for complex data transfer arrangements, where the SCCs could be signed by multiple parties.
2. Dialogue with the EDPB and the national data protection authorities
- The commission stressed the importance of developing a consistent approach towards handling the situation caused by the Schrems 2 judgment. This essentially entails coordinating the action plan with the EDPB, before taking further steps.
- The commission will be welcoming further guidance from the EDPB and national DPAs on how to comply with the Schrems 2 judgment.
3. Dialogue with the US authorities
- A dialogue with the US concerning a potential new EU-US data transfer framework has already been opened, and updates on progress are expected in the coming weeks. Commissioner Reynders did confirm that there is a mutual willingness of wanting to comply with the Schrems 2 judgment.
- No quick fix can be expected, however, as the issues to address in such a framework relate to the very sensitive nature of national security, and particularly of the US surveillance laws. Any concrete steps will most likely not be revealed before the US presidential elections scheduled for November 2020.
- The EU Commission would welcome meaningful amendments to the US surveillance laws, which would take into account the considerations of the Schrems 2 case. While the EU Commission is ready to support the US authorities in this regard, only the latter are best placed to decide on what concrete measures can be taken.
- Addressing questions from the LIBE Committee regarding the possible solution, where storing and processing personal data within the EU would be prioritized over sending it to the US, Commissioner Reynders said that the commission will be looking into all potential solutions but noted that the European Strategy for Data adopted in February 2020 called for a global convergence in data transfers, and thus building a strong relationship with the US in this area would be preferred.
The EDPB – new guidance to be expected, but ensuring a consistent approach among the national DPAs first is crucial
1. Developing guidelines on “additional safeguards”
- Andrea Jelinek, chair of the EDPB, informed that they are currently working on developing additional guidelines and recommendations on how to identify and apply additional safeguards to companies’ data transfer arrangements.
- The EDPB will also look into updating its existing guidelines in light of the Schrems 2 judgment. Work on these aspects is expected to be delivered in the upcoming weeks and months.
- Jelinek added, however, that there will not be a one-size-fits-all solution, as each company transferring personal data outside the EU will have to evaluate its situation on a case-by-case basis, taking into account the particularities of its data transfer arrangements and the industry in which it operates.
2. Consistent approach needed by the national DPAs
- Jelinek reiterated that whatever further action the EDPB and national DPAs will take, the prerogative is to ensure a consistent and uniform interpretation and application of the GDPR. In light of the complexities caused by the Schrems 2 judgment, ensuring consistency in the approach taken by all DPAs will take some time.
- Responding to certain criticism from committee members on the lack of enforcement activity by the national DPAs, Jelinek assured that the DPAs are neither reluctant to start nor are they trying to evade enforcement measures. However, stressing the aforementioned point, she pointed out that it is important to first devise a common approach to handling any complaints related to data transfers, as otherwise there is a risk of creating even more uncertainty for companies.
Max Schrems – let’s not make the same mistake again
1. No Schrems 3, please
- Schrems started his address by urging the EU not to make the same mistake like the one after the Schrems 1 case, where the solution was sought only in relation to ensuring equivalency in the data protection safeguards applied in the data exporting and importing country, and the wider issue of an infringement of EU citizen’s fundamental rights was set aside.
- What this means is that any new Privacy Shield-type framework will not work in his view. In essence, there are only two solutions – either change the EU Charter of Fundamental Rights or change the US surveillance laws. In his view, the latter solution should be pressed for by the EU, as the US would have more to lose if their companies’ access to the EU market is cut off.
- Schrems expressed his concerns about the lack of enforcement action taken by the national DPAs, though. As one example, he mentioned a letter received from the Irish DPA, which apparently stated that the DPA will not be able to begin enforcing the Schrems 2 judgment in the next 1-3 years.
2. Suggested avenues for fixing the problem
Schrems also shared his thoughts on what practical measures could be applied to address the issues:
- If the US surveillance laws remain as they are, then applying any additional safeguards such as encryption would only protect data in transit via the US, but not data being collected and processed there.
- The SCCs, regardless of any additional safeguards applied, cannot be used anymore by electronic communications service providers, as they are subject to the most intrusive US surveillance laws.
- An alternative solution of keeping all data in the EU also might not work entirely, as US laws could extend to US companies operating in third countries.
- One way to effectively amend the US laws would be to introduce a delay notice of surveillance – where the authority conducting surveillance informs the target of the measures taken after the investigation has been concluded and could no longer be affected by the target’s knowledge of the act of surveillance. This would allow parties affected by such measures to prove standing in US courts.
- Another solution is to create an EU self-certification mechanism, which would be legally binding, but given its nature would also be easier to enforce than SCCs.
- Replying to comments regarding Brexit, Schrems added that all the above considerations will most likely apply to the UK in case of a hard exit from the EU, as their surveillance laws appear to be similar to those of the US.