After Schrems II : Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe
I. Schrems II Places International Data Transfers in a Legal Limbo
A. In Theory Schrems II Proposes a Holistic and Coherent Regime of Protection
B. In Practice It’s Uncertainties Time: The Show Must Go On, But… How?
II. Constitutional Implications for Greater Europe
A. A Shakeup of the EU Equivalent Protection Mechanisms
B. Implications for the European public order
Conclusion: Towards Data Localization?
The judgment issued by the Court of Justice of the EU (CJEU) on 16 July 2020 in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), is without doubt a constitutional judgment. It affirms strongly the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries dealing in a comprehensive way with the issue of government access to data not only by the United States (US) but also by any other country. By doing so it creates a lot of uncertainties on the legal basis of future data transfers from the EU to other countries. And it also has important constitutional implications for the European public order.
This article will not discuss the facts of the case or the arguments used by the Court in relation with the Privacy Shield arrangement or Standard Contractual Clauses (SCCs). This has already been done in this blog in the excellent analysis published last Friday by Christopher Kuner. Similarly, a series of very interesting comments have been published since last Thursday ranging from Max Schrems’ Noyb Organisation’s first reactions, to US perspectives on the judgment proposed by Peter Swire, Jennifer Daskal or Kenneth Propp and Peter Swire.
The objective of this article will be to offer some complementary thoughts and perspectives focusing on the uncertainties created by the judgment for the future of international data transfers (Part I) and the constitutional implications not only for the EU but also for greater Europe (Part II).
I. Schrems II Places International Data Transfers in a Legal Limbo
At a theoretical level, Schrems II appears as a strong constitutional confirmation of the importance to build a solid, comprehensive and coherent regime of protection of European personal data transfers – including against governmental access to such data. In practice, however, the judgment creates a lot of uncertainties about the legal basis for future data transfers from Europe to the US and the rest of the world. The huge challenge after Schrems II will be to define how to reconcile theory with practice.
A. In Theory Schrems II Proposes a Holistic and Coherent Regime of Protection
From several points of view the CJEU remains faithful to itself. As Kuner rightly noted, “the holdings of the Schrems II judgment are not unexpected”. Indeed, people familiar with the case law of the CJEU know that the Court has adopted, over the last years, a very strong stance in favour of data protection, whatever the practical consequences of this. For the Court, it is for the law to govern technology, not the other way around. Governments, corporations and other stakeholders thirsty for data must find solutions to fit with the theoretical framework of strong data and privacy protections proposed by the Court on the basis of EU relevant law.
In the 2014 Digital Rights Ireland judgment the CJEU declared invalid the Data Retention Directive and in the 2016 Tele2 Sverige and Tom Watson and Others judgments, the Court imposed severe limitations on data retention regimes decided by EU governments despite knowing that this would infuriate law enforcement agencies around Europe.
In 2006 the CJEU annulled the 2004 Passenger Name Record (PNR) Agreement between the EU and the US obliging the two parties to renegotiate a new Agreement. Similarly, in Opinion 1/15 issued in 2017, the CJEU objected to the entry into force of the EU/Canada PNR Agreement, insisting that there should be very strict rules as to the concrete implementation of surveillance laws, leading, once again, to a time-consuming renegotiation of this Agreement. Schrems I, in 2015, led to the invalidation of Safe Harbor. Against this background, Schrems II represents, as Kuner noted, “a continuation of the Court’s approach to the regulation of international data transfers rather than a radical departure from it.”
From several points of view Schrems II goes far beyond Schrems I by completing the theoretical regime of protection of data transfers in a way that would permit to avoid further circumvention of the standards of the GDPR. Indeed, while Schrems I only invalidated the Commission’s adequacy decision with the US, Schrems II is not just about invalidating the Privacy Shield. As it will be shown later on, the CJEU insists that all relevant stakeholders must ensure that the same standards of protection of European personal data apply in relation to transfers operated using other legal means, starting with SCCs.
Theoretically, this is a rather logical development to ensure a consistent and comprehensive legal regime. As Omer Tene noted, the use of SCCs has been criticized to be a “mere formality” or “a legal fiction”. “Never once in memory have they been pursued or enforced in a court of law. Perhaps this will now change.” Indeed, Schrems II highlights that SCCs are logically subject to the same standards of protection as other means for transfers. It is no longer sufficient for companies to “copy and paste” the SCCs template, “washing their hands” for what happens afterwards if a foreign intelligence agency accesses the data. As noted by Thomas Streinz, “a contractual guarantee is insufficient if another country’s law requires or allows for access to personal data contrary to GDPR guarantees.” Data controllers, under the control of Data Protection Authorities (DPAs), need to ensure effectiveness in practice.
This development also permits to ensure fairness in the treatment of foreign EU partners. Indeed, one of the major objections against an invalidation of the Privacy Shield formulated by US scholars ahead of Schrems II was that this could lead to an absurd and unfair situation which consists in “prohibit[ing] transfers of data to the US, which has numerous legal safeguards characteristic of a state under the rule of law, while allowing such transfers toward China, where the protection of personal data vis-à-vis the government is essentially non-existent”.
By clearly saying that data controllers and DPAs need to ensure that the same standards of protection apply irrespective of the legal basis used for data transfers, the CJEU avoids the “double standards” pitfall and ensures the theoretical coherence and fairness of the legal regime.
Seeing the things from a rather European and idealistic perspective, one author said that “the CJEU is steering us – as it has always done – in a direction of travel which seeks a balanced approach to Government access to data rooted in democratic principles and effective remedies for individuals”. Indeed, still theoretically and with a pinch of European legal imperialism, one could hope that Schrems II could have the welcome effect of realizing the European Commission’s goal to “promote convergence of data protection standards at international level, as a way to facilitate data flows and thus trade” (as expressed in the recent assessment of the GDPR at the occasion of its second anniversary, at page 12).
Coherent and protective as all this sounds at a purely theoretical level, it leads to huge difficulties and uncertainties in practice.
B. In Practice It’s Uncertainties Time: The Show Must Go On, But… How?
Five years ago, in Schrems I, the CJEU struck down the EU-US Safe Harbor amid concerns about US government access to data, and several commentators thought that this was the end of the digital world. However, as Omer Tene notes, “the next day, the sun rose in the east, and data transfers went on”. Will this time around be any different? Omer Tene ventures to guess, “no”. Even after Schrems II, “data will continue to flow across borders, including from Europe to the US. … The internet, after all, will not break. The show must go on.”
While this seems as a reasonable statement, the big question is “how”. Schrems II creates at least nine huge uncertainties about the future of international data transfers.
- Uncertainties over a Grace Period for Privacy Shield
The US authorities noted (see here and here) that, as a consequence of Schrems II, more than 5,300 European and US companies, large as well as small, no longer may rely on the Privacy Shield as a basis for transferring personal data from Europe to the US.
Immediately after the judgment, a representative of tech lobby BSA/The Software Alliance called on DPAs to release guidance and to hold off enforcing the ruling for a grace period. This was based on the argument that after the Schrems I judgment, DPAs provided a period for transition and at a practical level companies that were relying on the Safe Harbor Framework were allowed to continue data transfers on that basis until the new Privacy Shield came in force in 2016.
However, it is at least unclear whether such a “grace period” could be accorded again and this for several reasons:
- First, this happened before the conclusion and the entry into force of the GDPR which introduced even stronger safeguards on data protection and data transfers.
- Second, Schrems II appears as a disapproving affirmation that things have not been done properly after Schrems I, leaving little space for further flexibility and delays by DPAs.
- Third, the Court leaves little room for such an interpretation. Indeed, para. 202 of the judgment considers that it is not “appropriate to maintain the effects of that decision for the purposes of avoiding the creation of a legal vacuum” because, in any event, derogations under Article 49 GDPR can be used for necessary data transfers to the US.
- Finally, the European Data Protection Board (EDPB) did not mention such a possibility in its first statement on Schrems II, while some DPAs in Germany took the position that “there is nothing” in the judgment or the GDPR “about possible grace periods or some kind of moratorium.”
Of course, as noted by Propp and Swire, who rely on EU government practices after some CJEU judgments on data retention: “in light of the slow pace of EU rulings and begrudging compliance by member states, one strategy for companies in the face of Schrems II may be to continue with business as usual and wait and see if consequences follow.” There is nonetheless a huge difference between the data retention cases and Schrems II. In the former, the eventual non-compliance with CJEU judgments was due to the attitude of governmental authorities in some sovereign EU Member States. Schrems II, by contrast, concerns companies and data controllers who might be, as Propp and Swire rightly warn, subject to huge fines (up to 4% of yearly turnover) by DPAs if they violate the GDPR.
As a result, and unless the EDPB or DPAs clearly open a “grace period” window, over 5,300 companies using the Privacy Shield should take steps to switch to another legal basis for data transfers to the US.
- Uncertainties about the Prospects of a Safe Harbor 3.0.
The best solution would be, of course, for the EU and the US to negotiate a new, third, arrangement that will replace the Privacy Shield. There could be two ways to do this.
The first way would be to go for a “quick fix” taking the risk that the CJEU could invalidate in the future for a third time such an EU-US new arrangement, whatever its name this time. After all, it took just eight months between the invalidation of Safe Harbor by Schrems I on October 6, 2015, and the Privacy Shield adequacy decision adopted by the Commission on July 12, 2016. The Privacy Shield has, of course, been criticized since then by several actors, including, most notably the EDPB (see here and here) but it took four whole years for the Court to strike it down and this provided a valid legal basis for data transfers to the US by more than 5,300 companies during this time. “Quick fixes” allow the “show to go on”.
Nevertheless, it is hard to see how the European Commission and the US could enter this time into such a “quick fix” approach playing “cat and mouse” with the CJEU. The second consecutive invalidation of the Commission’s adequacy decision has important legal and political significance and raises the bar for the Commission to “do things right” this time. Engaging in a “quick fix” strategy that does not meet the requirements of the Court could be seen as cynical and raises huge criticism against the Commission. As a commentator wrote: “There isn’t going to be a third Potemkin data deal.”
The second, and much more credible way to advance, would be to try hard to address the main issues raised by the CJEU and conclude a long-lasting EU-US arrangement providing a valid legal basis and legal certainty for years to come.
For a European observer this should not be “mission impossible”. When one reads the judgment carefully, it should not be impossible to deal with the Court’s main objections. Indeed, Schrems II does not seem to challenge the US powers of surveillance as such, but rather the lack of necessary safeguards and remedies in relation with these powers. Schrems II does not include the harsh criticism against surveillance appearing in Schrems I where the CJEU clearly stated that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter” (para. 94). Instead, it focuses on issues such deficiencies in the Privacy Shield Ombudsman mechanism or lack of effective remedies in the US by EU data subjects which have been pointed for years as problematic by various actors, including the EDPB (see links above).
Of course, several US and other commentators have expressed their pessimism about any chance that the US political economy will allow for a re-calibration of US law at the expense of surveillance capabilities, while extending US protections to foreigners has been presented as an “anathema to US law”. Similarly, US authorities have declared that it is neither “advisable nor possible” to consider an overhaul of surveillance powers in the short term.
Beyond specific arguments, one could also note the general frustration on the US side with a situation that resulted in a second major judicial assessment by a European Court in five years that US surveillance laws do not meet European human rights standards and need to be reformed. However, one should recall that this situation is far from being unusual and that the US government itself conditions several of its actions by an assessment of whether laws of foreign countries meet some necessary requirements, including human rights standards. One recent, important and particularly relevant example is the CLOUD Act adopted in March 2018. The second part of the CLOUD Act enables the US to conclude “executive agreements” with some qualified foreign governments, permitting the latter to access the content of (some) communications held by US service providers. But the conclusion of such an agreement is strictly conditioned by the fact that each “foreign government” must be “certified” by the Attorney General, with the concurrence of the Secretary of State, as affording “robust substantive and procedural protections” for privacy and civil liberties in its “domestic law,” among multiple other requirements. Indeed, the US Government recently “certified” that the UK meets such requirements, enabling the UK-US CLOUD Act Agreement to enter into force on July 8, 2020, just a few days before Schrems II.
It is thus to be hoped that, when the Schrems II dust settles down, experts from the two sides of the Atlantic will work together to present creative and innovative ideas, and that the EU and the US will engage in constructive negotiations in order to conclude, as soon as possible, a long lasting, solid and Court-proof arrangement for transatlantic data transfers.
- Uncertainties about the UK Adequacy Decision
While the immediate consequence of Schrems II was the invalidation of the EU-US Privacy Shield, an indirect consequence of the judgment could be to complicate a future EU-UK adequacy decision. The UK has particularly powerful surveillance laws and powers and has been condemned several times by the European Court of Human Rights (ECtHR) for not meeting the standards of the European Convention of Human Rights (ECHR) which, one could argue, might be somehow lower than the ones set by the CJEU (see infra).
The latest condemnation of UK surveillance laws by the ECtHR intervened on September 13, 2018, in the Big Brother Watch and Others judgment (discussed in this blog), which found that the techniques of massive interception of communications practiced by the British intelligence agency GCHQ violate two important rights of the ECHR: Article 8 (protection of privacy) and Article 10 (freedom of expression, given the lack of safeguards for the protection of journalists).
This case has been deferred to the Grand Chamber of the Court by the claimants who consider that the ECtHR did not go far enough in the condemnation of UK surveillance powers. The Grand Chamber held hearings in July 2019, with the judgment being expected in the coming months.
At the same time a new case brought by Privacy International and Others against the UK challenges the new UK Intelligence Services Act.
If the ECtHR finds in these two cases that the UK surveillance laws do not meet the standards of the ECHR, it could be extremely difficult for the Commission to declare that the UK meets the – even stricter – standards of EU Law, as interpreted by the CJEU. An adequacy decision adopted by the Commission despite such ECtHR condemnations, might be quickly challenged before the CJEU.
- Uncertainties about the Future of Other Adequacy Decisions
But it is not just the future EU-UK adequacy decision that is at risk. Let’s recall that, beyond the US, the European Commission has already adopted adequacy decisions for Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. Adequacy talks are also ongoing with South Korea.
It would be interesting to follow future developments, including the Commission’s periodic reviews or eventual legal challenges at the CJEU, in relation with some of the past adequacy decisions, especially the one with Israel – a country that conducts extensive surveillance for national security purposes – potentially running afoul of the CJEU’s standards.
- Uncertainties on the Continuous Use of SCCs
Probably the most important uncertainty following Schrems II concerns the future use of SCCs for data transfers to the US (and other countries).
As the EDPB explained,
“while the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter […] shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country.”
If the protections offered in the third country are not enough and the exporter is not in a position to put in place “additional measures” (see infra, point 6) to remedy this problem, then the data transfers must cease. DPAs are invested with the task to control the whole process and can suspend or prohibit the transfer of data to a third country pursuant to SCCs, if, in their view the laws of the third country do not meet the EU legal standards and there is no other way to ensure protection of the data concerned.
For countries other than the US, which do not benefit from an EU “adequacy decision”, SCCs might remain for some time the main tool for data transfers. However, this will imply henceforward as assessment of whether the importer’s country has “equivalent with the EU” legal protections in place. Needless to say, this assessment, under the control of DPAs, could shut down data transfers to an important number of States (starting with China and Russia) whose legal systems offer substantially less guarantees than the US in relation with government access to data. Indeed, one can hardly imagine how personal data transfers to China could continue via TikTok or other companies after Schrems II.
As for the use of SCCs in order to transfer data to the US, it already appears “questionable” (to cite the Ireland’s Data Protection Commission) following the CJEU’s centralized and authoritative conclusion that US laws do not offer adequate protections. In reality, there are only two ways to continue using SCCs for data transfers to the US.
The first possibility is to demonstrate that some categories of data transferred and some data recipients are not concerned by US surveillance laws. Omer Tene has noted, for instance, that “US Foreign Intelligence Surveillance Act Section 702, Executive Order 12333 and Presidential Policy Directive 28 concern communication service providers, not retailers, manufacturers, health care or pharma companies, or the thousands of companies that use SCCs to export employee data to headquarters in the U.S. This means that the vast majority of companies can use SCCs in transfers to the US.” However, as other commentators noted, this “theory is untested, and it is far from clear which EU regulatory authority can provide comfort that such transfers are lawful.” Indeed, it could be a probatio diabolica to show that the data transferred on the basis of SCCs cannot be subject to US surveillance. In any case this would be almost impossible for companies that transfer contents of communication such as telecom and cloud providers or companies using services by such providers.
The second possibility, to which I will immediately turn, concerns the possibility to use the mysterious concept of “additional safeguards”.
- Uncertainties about the Meaning of “Additional Safeguards”
In several paragraphs of Schrems II, the CJEU hints to the possibility that, even if the laws of the importer’s country do not offer an “adequate” and “equivalent” level of protection in relation with government access to data, international transfers could still take place if the data controller puts in place “additional safeguards” (para. 134) or “additional measures” (para. 135), or “supplementary measures” (para. 133) or “effective mechanisms to make it possible in practice” (para. 137) to ensure the protection of the data transferred by other means. While the term “additional safeguards” already appears in recital 109 of the GDPR, it remains rather mysterious, especially in the context of the Schrems II judgment.
If one considers, for instance, that one of the main concerns of the Court was that the US system of surveillance does not offer effective judicial remedies to EU citizens, it is hard to imagine how any “additional safeguards” introduced by the data controller could change this.
Technical “additional safeguards” could indeed prove effective, if possible from a practical point of view. Companies could, for instance, encrypt data in transit in the US applying the strongest encryption protocols possible. Indeed, Schrems II could greatly enhance proponents of end-to-end encryption and other encryption techniques (and, at the same time, inversely increase already existing problems for law enforcement, especially in relation with end-to-end encryption!). Still, it remains to be seen whether encryption is always relevant and possible from a technical point of view and what would be the response to the argument that the NSA might have great capabilities in terms of deciphering encrypted data.
Beyond technical “additional safeguards”, one could ask if there might be additional legal safeguards. Daskal suggests that companies might challenge — and demand individual reviews of — all intelligence community demands for EU citizen and resident data. But as she acknowledges, “there is no guarantee that the companies will win such challenges; they are, after all, ultimately bound by US legal obligations to disclose.”
The EDPB itself seems to remain puzzled by the mysterious “additional safeguards” concept. In its initial statement it provided no guidance in this respect, just saying that it “is looking further into what these additional measures could consist of.” Its future guidance in this field is eagerly expected.
- Uncertainties about the Use of BCRs as a Silver Bullet
Hogan Lovells suggested, after Schrems II, that “given the specific protections included within Binding Corporate Rules [“BCRs”] to address the issue of data disclosures to government agencies and the high degree of scrutiny undertaken prior to their approval, [BCRs] will likely emerge as a most solid mechanism available to legitimize global data transfers.” Similarly, Wiley presented BCRs the “gold-standard” of data transfer mechanisms.
BCRs are provided for by Article 47 GDPR and present the interest to be approved a priori by the competent supervisory authority providing legal certainty for future data transfers. However, their generalization after Schrems II is confronted with two obstacles.
First, their negotiation and implementation can take years and is particularly onerous. As a result, BCRs are only used by large companies with wide-ranging data transfer obligations. Of course, one could imagine that if BCRs prove to be the magic bullet after Schrems II, SMEs with common activities and interests could try to form groups in order to reduce costs and undertake together the negotiation of BCRs.
However, there is a second obstacle to the use of BCRs: they will be met by exactly the same difficulty as SCCs, namely that the transfer in both cases will be impossible if the third country’s laws do not meet the EU protection standards. Indeed, Kuner rightly observes that the Schrems II protective standard “presumably also applies to other appropriate safeguards under Art. 46 (such as BCRs), which will raise the bar for them as well.” The essentially equivalent level of protection standard applies to all legal mechanisms of transfer, not just SCCs.
- Uncertainties about the Use of Article 49 Derogations
As mentioned above, the Court in para. 202 of Schrems II refused the idea of a legal vacuum following its judgment, suggesting that Article 49 GDPR “details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR.”
Taking into consideration the uncertainties mentioned in the analysis above, companies might be tempted to use the derogations of Article 49 as an ultimum refugium for valid data transfers to the US. However, this would be pretty much problematic.
As a matter of fact, the EDPB has cautioned in two different recent occasions that Article 49 derogations are not meant to be used for “routine”, “systematic” or “ongoing” transfers. Both in its Guidelines 2/2018 on derogations of Article 49 under the GDPR, adopted on May 25, 2018 and in its Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data, adopted on July 10, 2019, the EDPB stressed that Article 49 derogations, as any derogations, must “be interpreted strictly so that the exception does not become the rule.” The EDPB emphasized that
“even those derogations which are not expressly limited to ‘occasional’ or ‘not repetitive’ transfers have to be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place.”
This position shuts somehow the door to attempts to use Article 49 derogations as a substitute to systematic data transfers based on the legal basis of Articles 45, 46 or 47 GDPR.
Still, pending better alternatives, companies might certainly be tempted by some Article 49 derogations and, especially, the one based on “explicit consent”. It would not be surprising if in the future companies require explicit consent from users in order to proceed to international data transfers which, in turn, presupposes to inform them that their data will be transferred to a country that does not provide adequate protection. Users could then find themselves compelled to consent in order to use a specific service (such as a social network). This would create an unwelcome situation that should definitely be addressed by the EDPB.
- Uncertainties about Codes of Conduct and Other New Options
Christopher Kuner suggested that, taking into consideration all these uncertainties, “one idea could be to develop codes of conduct or certification mechanisms together with enforceable commitments covering US data flows as foreseen under Article 46(2) GDPR.” He notes that “codes of conduct and certification mechanisms as a legal basis for data transfers have not been approved under the GDPR thus far, but seem worthy of investigation as potentially a new way forward.”
It would be interesting to have more precisions about this suggestion which creates new uncertainties. Indeed, taking into consideration the fact that the “Schrems II standard” applies, as stressed by Kuner, not only to SCCs but to all legal tools for data transfers, it is hard to imagine how codes of conduct or certification mechanisms could work any better than SCCs and permit to address the problem of the absence of equivalent protection in the country of destination.
II. Constitutional Implications for Greater Europe
Beyond the creation of all these uncertainties, Schrems II has some important constitutional implications, both for the EU and for the greater European public order.
A. A Shakeup of the EU Equivalent Protection Mechanisms
Schrems II might have profound implications for the system of assessing whether a third country, to which data are transferred, ensures an adequate level of protection. Till now this assessment was done in a centralized way, by the Commission. Without questioning the Commission’s powers in this respect, Schrems II operates a huge turn towards a “privatization” and decentralization of such assessments. Taking into consideration, nonetheless, the risks of fragmentation resulting from such an approach, the CJEU proposes a “re-centralization” with an extremely powerful role henceforward for the EDPB.
- Before Schrems II: A Centralised Mechanism Based on the Commission’s Assessment
Article 45 GDPR entrusts the Commission with the power to decide whether a third country or an international organization ensures an adequate level of protection in order for personal data to be transferred on the basis of such an adequacy decision. The adoption of an adequacy decision involves specific procedures and criteria in order to proceed to the assessment of the third country’s laws. As stated earlier (supra, Part I.B.4.) the Commission has so far recognized 12 countries or territories other than the US as providing adequate protection while adequacy talks are ongoing with South Korea.
Centralized adequacy decisions by the Commission lie normally at the top of the mechanisms for international data transfers. “Transfers subject to appropriate safeguards”, including SCCs, can take place under Article 46 GDPR when there is no adequacy decision. As noted by Kuner in his OUP commentary of Article 46 GDPR, “such appropriate safeguards are based not on a detailed evaluation of the legal system of the country or international organisation to which the data are to be transferred, as is the case when an adequacy decision has been issued under Article 45, but on a set of protections that apply to the particular data transfer or set of transfers.” By saying that henceforward transfers under Article 46 (or, by the same token, 47) GDPR also need to be based on the evaluation of the legal system of the third country, the CJEU operates a huge constitutional adjustment and a turn towards decentralization.
- A Turn to Privatisation/Decentralisation?
As explained earlier, the CJEU stressed that there is an obligation incumbent on both the data exporter and importer to verify, prior to effectively carrying out a transfer, whether the expected level of protection is attained in the third country concerned. This process takes place under the control of the competent national supervisory authority. This seems like a turn to “privatization” of adequacy assessments, coupled by a decentralized review by national DPAs.
2.1. Companies to Assess Sovereign States Surveillance Laws? Well, Good Luck With It!
The CJEU instructs companies, when exporting personal data under SCCs, to “verify whether the law of the third country of destination ensures adequate protection under EU law” (para. 134), and also “to verify […] whether the level of protection required by EU law is respected in the third country concerned” (para. 142). If the company finds that the third country does not offer adequate protections and there are no other means (supra, Part 1.B.5.) to ensure protection of the data, then the data exporter would be obliged to suspend the transfer and/or terminate the contract with the data importer.
This private assessment of foreign countries laws will be a particularly difficult operation.
Consider, for instance, a European company doing business with Russia or India. Could it be possible, for such a company, to declare tomorrow that it will not transfer personal data to these countries anymore because Russian or Indian laws do not offer sufficient human rights protections? What would be the economic and other consequences (including reprisals by the States concerned) of such a declaration for this company?
Beyond diplomatic, political and economic considerations, the “privatization” of adequacy assessments will undoubtedly be extremely difficult from a legal point of view. The European Commission itself, with its giant technocratic expertise and its armada of high-skilled lawyers, proved to be wrong twice in relation with such assessments, once with Safe Harbor and once with the Privacy Shield (not to mention the PNR Agreement with Canada or the first PNR Agreement with the US). How could European SMEs do any better than the Commission? On the basis of what legal expertise are they going to assess third-countries laws?
Even if some big companies might be able to pay expensive lawyers to proceed to such legal evaluations, how exactly are they going to proceed? Surveillance laws in several countries are often inaccessible, constituted by a series of complex instruments with no translations handy. Practice has shown that even a court such as the ECtHR, which is the international human rights body having by far the most extensive experience (since 1978 and the famous Klass and others v./ Germany case) in controlling national surveillance laws, is struggling to operate such a complex and difficult control. It often takes years for the Court to deliver a judgment on surveillance cases. How are private companies supposed to do it as a matter of days or months? And on the basis of which exact criteria? A study of the ECtHR’s case law shows that the criteria used to assess the compatibility of national surveillance laws with the ECHR standards are constantly evolving, not only because of the use of new surveillance techniques by intelligence agencies but also because the Court itself is struggling in order to strike the right balance between the need for security and the need to protect effectively human rights.
The supervisory role of national DPAs offers little comfort in relation with the difficulties posed by such “private” assessments of adequacy.
2.2. European DPAs: Between Perplexity and Frustration?
These company-by-company assessments must be overseen by the data protection authorities. As the Court said, “the competent supervisory authority is required […] to suspend or prohibit such a transfer, if, in its view and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means […]” (para. 146).
The CJEU thus puts national DPAs under pressure to control the adequacy assessments of private companies, suspend or terminate data transfers to countries not meeting the EU protection requirements and take enforcement actions against companies that do not respect the CJEU’s theoretical framework for data transfers.
It is, however, more than questionable whether national DPAs are in a position to proceed to an assessment of third-country surveillance laws. DPAs, which already have other huge tasks and are often heavily understaffed, will certainly face exactly the same difficulties as mentioned above in relation with private companies. Moreover, it should be emphasized that most DPAs in the EU have no competence whatsoever to control the content or application of their own countries’ surveillance laws. Indeed, their tasks under the GDPR do not include access to data by intelligence or law enforcement agencies. As for the control of the legality and application of national surveillance laws, it is often entrusted to national tribunals or independent administrative authorities other than the DPAs. After Schrems II, DPAs will find themselves in the uncomfortable position of becoming experts in foreign surveillance laws and to suspend data transfers to any country where EU standards cannot be met.
The first reactions by national DPAs to the Schrems II judgment demonstrate a degree of unease with such a perspective. In a statement issued on July 16, 2020, for instance, the Hamburg data protection chief Johannes Caspar declared that: “Uncertainty has increased. The [Court] is passing the ball to the European supervisory authorities.”
- Back to Centralisation? The EDPB Becomes the Grand Assessor of Global Legal Adequacy
Entrusting national DPAs with the task to issue “adequacy decisions”, after such complex and difficult assessments of foreign countries laws, presents the risk of fragmentation and divergent views on these issues. In para. 147 of Schrems II the Court proposed a solution by saying that if supervisory authorities disagree about transfers, the EDPB is assigned to resolve such disputes. The Court thus goes back to the need for centralization but the organ entrusted with this mission is not the Commission anymore, but the EDPB.
The constitutional significance of this development is evident: the EDPB becomes the all-mighty assessor of global legal adequacy. But if a centralized assessment of adequacy is, in my opinion, a real necessity, the intervention of the EDPB does not come without problems.
First, the difficulties mentioned above in relation with “decentralized” assessment of foreign national security laws by companies and national DPAs remain relevant here also. The EDPB has certainly much more expertise than individual actors, but the experience of the ECtHR shows, once again, how difficult and time-consuming is the task.
Second, the articulation with the Commission’s own assessments under article 45 needs clarification. After Schrems II the Commission remains, of course, competent to proceed to adequacy decisions under Article 45 GDPR, but the EDPB is also entrusted with the mission to assess the adequacy of foreign laws in all situations where there is no adequacy decision by the Commission yet. Consider now the following situation: what happens if the Commission is in advanced adequacy negotiations with foreign country X and the EDPB declares that this country X does not meet the EU standards of protection? It would be extremely tricky for the Commission to move forward with an adequacy arrangement. As mentioned earlier, the EDPB had expressed its concerns about the Privacy Shield and the “adequacy” of US law – but this was just an opinion expressed. The EDPB might have henceforward the power to “torpedo” a future third agreement with the US by declaring, just before its conclusion, that the US law still does not meet EU standards. Inversely, what is henceforward the need for Article 45 adequacy decisions by the Commission if the EDPB has already declared that a specific country’s surveillance laws are “adequate”? Non bis in idem… The Commission has several reasons to feel frustrated and weakened after Schrems II…
There is a final third difficulty: how exactly will assessments of third countries laws by the EDPB be subject to judicial review in the future? We do know how to review the Commission’s adequacy decisions, Scherms I and II are the talking examples of how judicial review works. But what about EDPB adequacy assessments? Are they subject to annulment under Article 263(1) TFEU as “acts of bodies, offices or agencies of the Union intended to produce legal effects vis- à-vis third parties”? It might be interesting to see the CJEU reviewing the decisions of the EDPB in this field.
B. Implications for the European public order
The constitutional implications of Schrems II should not be discussed solely in relation with EU Law. They should also be assessed in relation with the broader “European public order”, which includes the law of the ECHR as interpreted by the ECtHR. It should be recalled in this respect (especially for non-European readers) that protection of fundamental rights in Europe takes place both under EU law (and its Charter of Fundamental Rights) and the human rights instruments of the broader Council of Europe (which includes the 27 EU Member States but also 20 other European States), starting with the ECHR. The concept of the “European public order”, while always a topic of heated debate and divergent views (see here, for instance), permits to capture this idea of broader European constitutional principles in the field of human rights.
As a result of the fact that both the CJEU and the ECtHR constantly intervene on matters concerning fundamental rights, it is no surprise that the CJEU explicitly refers to the case law of the ECHR and vice versa. In a field so important such as the assessment of the compatibility of surveillance laws with fundamental rights, one would expect that the “dialogue of European Judges” would be particularly rich and constructive. Schrems II proves that this is far from being the case.
As mentioned earlier, while the CJEU has rendered some important judgments in relation with surveillance, the ECtHR has, since 1978, a much more extensive case law on these issues. Indeed, the Opinion of Advocate General (AG) Henrik Saugmandsgaard Øe issued in December 2019 in Schrems II mentioned the case law of the ECtHR no less than 41 times! Against this background, how many times did the CJEU mentioned the ECtHR in its July 16, 2020 judgment? The answer is: zero!
This probably reflects a certain degree of frustration of the CJEU with the fact that the ECtHR itself mentioned only in a limited and rather non-influential way the case law of the CJEU in two recent landmark rulings on surveillance. Indeed, the 2018 Centrum för Rättvisa and Big Brother Watch ECtHR judgments refer to the case law of the CJEU but only in the “relevant case-law” part of the judgments (see for instance para. 224-236 of Big Brother Watch), not really in a way that influences the outcome of the Court’s decisions.
But this fact also reflects eventually a more profound divergence of views. As I explained in a separate post in this blog, the two above-mentioned 2018 judgments of the ECtHR seem to indicate a certain departure from the “strict necessity” standard established by the CJEU (and followed by the ECtHR in the 2016 Szabó and Vissy v. Hungary judgment) in favour of a more flexible approach, recognizing a wide margin of appreciation in favour of national authorities in the field of surveillance and endorsing the policy of bulk surveillance as a “valuable means” to protect national security.
A scholar observed that “the relation between the CJEU and the ECtHR has a glorious past and can continue to have a bright future.” In the field of surveillance it will be interesting to see how the “dialogue of European Judges” could evolve and what could be the effects of Schrems II. The ball is now in the ECtHR court as both Centrum för Rättvisa and Big Brother Watch have been challenged by the applicants and are now pending before the ECtHR Grand Chamber with the judgments expected later in 2020.
Conclusion: Towards Data Localization?
Schrems II is an important constitutional judgment with profound implications. It creates a lot of uncertainties about the future of international data transfers. Satisfactory solutions for all stakeholders could be found but, in the meanwhile, guidance by the EDPB about the way forward is urgently needed. The author believes that one of the most urgent tasks should be to provide for centralized and a priori assessments of adequacy. This could be done either by an acceleration of Article 45 adequacy decisions by the Commission or by an active role of the EDBP that should define when and how data transfers can be operated under SCCs in the absence of an adequacy decision. Precisions about the concept of “additional safeguards” are also urgently needed.
It is interesting to note that, without waiting for such developments, some persons in Europe are already calling for data localization as the only credible solution. The declaration of the Berlin data commissioner on July 17, 2020 has been particularly highlighted. The Berlin’s data protection watchdog has called for data currently stored in the US to be relocated to the EU. “Now is the time for Europe’s digital independence,” said the Berlin data commissioner Maja Smoltczyk.
Other scholars noted, however, that keeping all personal data in Europe would be expensive (especially for SMEs) and cause numerous technical problems. But more fundamentally, they said, “it is hard to imagine how multinational companies and services could carry out their business if data entering the EU cannot emerge from it.”
It is interesting to recall, in this respect, that the concept of data localization seems to fall short the European Commission’s objective to “further facilitate international data flows”. The European strategy for data, published on 19 February 2020, stresses, for instance, that “international data flows are indispensable for [EU companies] competitiveness.” Similarly, the Commission notes in its recent Second Review of the GDPR (at page 13) that “synergies between trade and data protections instruments should be further explored to ensure free and safe international data flows that are essential for the business operations, competitiveness and growth of European companies, including SMEs, in the increasingly digitalised economy.”
It remains to be seen if Schrems II will result in more harmonized global data protection standards enabling the creation of solid legal instruments for future international data transfers or, instead, to a limitation of free data flows and data localization solutions, the consequences of which have not yet been adequately studied.