EP: Commission Must Halt Adequacy Decisions that Do Not Comply with CJEU’s Standards
29 June 2021
2018-Max_Planck_Herr_Wahl_1355_black white_Zuschnitt.jpg Thomas Wahl

On 20 May 2021, the European Parliament (EP) adopted a resolution on the future of data transfers to the USA following the CJEU’s judgment in Schrems II. In this judgment (→ eucrim 2/2020, 98), the CJEU found that the current legal framework allowing data transfers between the EU and the US on the basis of the “Privacy Shield” is invalid. However, it accepted the use of standard contractual clauses (“SCCs”) to facilitate transfers, as long as EU-based entities verify the recipient country’s level of data protection before the transfer. Suspension of data transfers may be required if the data transferred are subject to mass surveillance by US intelligence authorities.

As a reaction to the ruling in Schrems II, the EP requests, inter alia:

  • The Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings and ensuring full GDPR compliance;
  • The EDPB should give further guidance on international data transfers for companies, especially SMEs;
  • Companies must continuously assess the best measures to transfer data lawfully;
  • The Commission must proactively monitor the use of mass surveillance technologies in the US and in other third countries that are or could be the subject of an adequacy finding and it must not adopt adequacy decisions concerning countries where mass surveillance laws and programmes do not meet the criteria of the CJEU, either in letter or spirit;
  • The Commission must bring in line current practices of exchanges of personal data with the standards set in the CJEU judgments in Schrems I and II, e.g. transfers under the Terrorist Financing Tracking Program, the EU-US PNR Agreement and agreements implementing the US Foreign Tax Compliance Act (FATCA);
  • The Commission must analyse the impact of the judgments in Schrems on the EU-US Umbrella Agreement and consider consequences;
  • The Union must reach digital autonomy, e.g., by investing in European data storage tools;
  • The conclusion of “no-spy agreements” can be an option if the US side does not modify its surveillance laws and practice.

In general, the resolution criticises national authorities in the EU for failing to enforce the GDPR properly, as MEPs consider them to have overlooked international data transfers and failed to take meaningful corrective decisions.