Ways Out of Schrems II Judgment
Business representatives and the EU and U.S. administrations have begun to think about the consequences of the CJEU’s judgment in Schrems II of July 2020 (--> eucrim 2/2020, pp. 98-99). In a joint press release of 10 August 2020, the European Commission and the U.S. Department of Commerce started talks “to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework.” Both sides emphasised that they share a commitment to privacy and the rule of law; at the same time, economic relationship should further be deepened.
Statewatch reported that observers meanwhile believe that a replacement of the Privacy Shield is likely, but would also be struck down by the courts if the U.S. is not willing to undertake significant reforms of is legal system. This concerns, in particular, U.S. surveillance powers and sufficient redress for data subjects in the EU – the two main arguments of the CJEU when it declared the current Privacy Shield invalid.
None of your business (noyb) – the NGO founded by Maximilian Schrems – compiled FAQs that give a simple overview of the judgment and the questions answered. The FAQs stress that the judgment does not affect transfers of (1) data that is not “personal data” and (2) “necessary” data to the United States (e.g., emails to the USA, bookings in the USA, business transactions, etc.). However, businesses must review their practices if they outsource data processing to the USA, i.e., if they choose to transfer personal data because it is easier, cheaper, or more practical to store it with a U.S. service provider than a European provider. Noyb also informs about the consequences of the judgment for consumers and companies, possible actions by EU and U.S. companies, and potential political solutions.
On 29 October 2020, the European Data Protection Supervisor (EDPS) issued a strategy paper that aims to ensure and monitor compliance of EU Institutions’ bodies, offices and agencies (EUIs) with the Schrems II ruling. The paper supports EUIs so that ongoing and future international transfers comply with EU law, in particular Regulation 2018/1725 (--> eucrim 4/2018, 200-201). The EDPS drafted a compliance action plan, including both short-term and mid-term measures. As a short-term compliance action, the EDPS calls, for instance, on EUIs to complete a mapping exercise identifying which on-going contracts, procurement procedures and other types of cooperation involve transfers of data. As far as new processing operations or new contracts with service providers are concerned, the EDPS strongly encourages EUIs to avoid transfers of personal data towards the United States. In the medium term, the EDPS will ask EUIs to carry out Transfer Impact Assessments (TIAs) on a case-by-case basis. Subsequently, the EDPS will collect further information and start working with the EUIs on joint assessments as regards the level of protection of personal data afforded in third countries.