After Schrems II : Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe – Part Two

By TAP Guest Blogger

Posted on July 24, 2020


This is the second of a two-part post from TAP guest blogger, Professor Theodore Christakis, University Grenoble Alpes. “After Schrems II : Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe” is republished with permission.


In this second part, Professor Christakis discusses the constitutional implications created by the Schrems II judgment not only for the EU but also for greater Europe. Part one examines the uncertainties created for the future of international data transfers.


II. Constitutional Implications for Greater Europe


Beyond the creation of all these uncertainties, Schrems II has some important constitutional implications, both for the EU and for the greater European public order.


A. A Shakeup of the EU Equivalent Protection Mechanisms


Schrems II might have profound implications for the system of assessing whether a third country, to which data are transferred, ensures an adequate level of protection. Till now this assessment was done in a centralized way, by the Commission. Without questioning the Commission’s powers in this respect, Schrems II operates a huge turn towards a “privatization” and decentralization of such assessments. Taking into consideration, nonetheless, the risks of fragmentation resulting from such an approach, the CJEU proposes a “re-centralization” with an extremely powerful role henceforward for the EDPB.


1. Before Schrems II: A Centralised Mechanism Based on the Commission’s Assessment


Article 45 GDPR entrusts the Commission with the power to decide whether a third country or an international organization ensures an adequate level of protection in order for personal data to be transferred on the basis of such an adequacy decision. The adoption of an adequacy decision involves specific procedures and criteria in order to proceed to the assessment of the third country’s laws. As stated earlier (supra, Part I.B.4.) the Commission has so far recognized 12 countries or territories other than the US as providing adequate protection while adequacy talks are ongoing with South Korea.


Centralized adequacy decisions by the Commission lie normally at the top of the mechanisms for international data transfers. “Transfers subject to appropriate safeguards”, including SCCs, can take place under Article 46 GDPR when there is no adequacy decision. As noted by Kuner in his OUP commentary of Article 46 GDPR, “such appropriate safeguards are based not on a detailed evaluation of the legal system of the country or international organisation to which the data are to be transferred, as is the case when an adequacy decision has been issued under Article 45, but on a set of protections that apply to the particular data transfer or set of transfers.” By saying that henceforward transfers under Article 46 (or, by the same token, 47) GDPR also need to be based on the evaluation of the legal system of the third country, the CJEU operates a huge constitutional adjustment and a turn towards decentralization.


2. A Turn to Privatisation/Decentralisation?


As explained earlier, the CJEU stressed that there is an obligation incumbent on both the data exporter and importer to verify, prior to effectively carrying out a transfer, whether the expected level of protection is attained in the third country concerned. This process takes place under the control of the competent national supervisory authority. This seems like a turn to “privatization” of adequacy assessments, coupled by a decentralized review by national DPAs.


2.1. Companies to Assess Sovereign States Surveillance Laws? Well, Good Luck With It!


The CJEU instructs companies, when exporting personal data under SCCs, to “verify whether the law of the third country of destination ensures adequate protection under EU law” (para. 134), and also “to verify […] whether the level of protection required by EU law is respected in the third country concerned” (para. 142). If the company finds that the third country does not offer adequate protections and there are no other means (supra, Part 1.B.5.) to ensure protection of the data, then the data exporter would be obliged to suspend the transfer and/or terminate the contract with the data importer.


This private assessment of foreign countries laws will be a particularly difficult operation.


Consider, for instance, a European company doing business with Russia or India. Could it be possible, for such a company, to declare tomorrow that it will not transfer personal data to these countries anymore because Russian or Indian laws do not offer sufficient human rights protections? What would be the economic and other consequences (including reprisals by the States concerned) of such a declaration for this company?


Beyond diplomatic, political and economic considerations, the “privatization” of adequacy assessments will undoubtedly be extremely difficult from a legal point of view. The European Commission itself, with its giant technocratic expertise and its armada of high-skilled lawyers, proved to be wrong twice in relation with such assessments, once with Safe Harbor and once with the Privacy Shield (not to mention the PNR Agreement with Canada or the first PNR Agreement with the US). How could European SMEs do any better than the Commission? On the basis of what legal expertise are they going to assess third-countries laws?


Even if some big companies might be able to pay expensive lawyers to proceed to such legal evaluations, how exactly are they going to proceed? Surveillance laws in several countries are often inaccessible, constituted by a series of complex instruments with no translations handy. Practice has shown that even a court such as the ECtHR, which is the international human rights body having by far the most extensive experience (since 1978 and the famous Klass and others v./ Germany case) in controlling national surveillance laws, is struggling to operate such a complex and difficult control. It often takes years for the Court to deliver a judgment on surveillance cases. How are private companies supposed to do it as a matter of days or months? And on the basis of which exact criteria? A study of the ECtHR’s case law shows that the criteria used to assess the compatibility of national surveillance laws with the ECHR standards are constantly evolving, not only because of the use of new surveillance techniques by intelligence agencies but also because the Court itself is struggling in order to strike the right balance between the need for security and the need to protect effectively human rights.


The supervisory role of national DPAs offers little comfort in relation with the difficulties posed by such “private” assessments of adequacy.


2.2. European DPAs: Between Perplexity and Frustration?


These company-by-company assessments must be overseen by the data protection authorities. As the Court said, “the competent supervisory authority is required […] to suspend or prohibit such a transfer, if, in its view and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means […]” (para. 146).


The CJEU thus puts national DPAs under pressure to control the adequacy assessments of private companies, suspend or terminate data transfers to countries not meeting the EU protection requirements and take enforcement actions against companies that do not respect the CJEU’s theoretical framework for data transfers.


It is, however, more than questionable whether national DPAs are in a position to proceed to an assessment of third-country surveillance laws. DPAs, which already have other huge tasks and are often heavily understaffed, will certainly face exactly the same difficulties as mentioned above in relation with private companies. Moreover, it should be emphasized that most DPAs in the EU have no competence whatsoever to control the content or application of their own countries’ surveillance laws. Indeed, their tasks under the GDPR do not include access to data by intelligence or law enforcement agencies. As for the control of the legality and application of national surveillance laws, it is often entrusted to national tribunals or independent administrative authorities other than the DPAs. After Schrems II, DPAs will find themselves in the uncomfortable position of becoming experts in foreign surveillance laws and to suspend data transfers to any country where EU standards cannot be met.


The first reactions by national DPAs to the Schrems II judgment demonstrate a degree of unease with such a perspective. In a statement issued on July 16, 2020, for instance, the Hamburg data protection chief Johannes Caspar declared that: “Uncertainty has increased. The [Court] is passing the ball to the European supervisory authorities.”


3. Back to Centralisation? The EDPB Becomes the Grand Assessor of Global Legal Adequacy


Entrusting national DPAs with the task to issue “adequacy decisions”, after such complex and difficult assessments of foreign countries laws, presents the risk of fragmentation and divergent views on these issues. In para. 147 of Schrems II the Court proposed a solution by saying that if supervisory authorities disagree about transfers, the EDPB is assigned to resolve such disputes. The Court thus goes back to the need for centralization but the organ entrusted with this mission is not the Commission anymore, but the EDPB.


The constitutional significance of this development is evident: the EDPB becomes the all-mighty assessor of global legal adequacy. But if a centralized assessment of adequacy is, in my opinion, a real necessity, the intervention of the EDPB does not come without problems.


First, the difficulties mentioned above in relation with “decentralized” assessment of foreign national security laws by companies and national DPAs remain relevant here also. The EDPB has certainly much more expertise than individual actors, but the experience of the ECtHR shows, once again, how difficult and time-consuming is the task.


Second, the articulation with the Commission’s own assessments under article 45 needs clarification. After Schrems II the Commission remains, of course, competent to proceed to adequacy decisions under Article 45 GDPR, but the EDPB is also entrusted with the mission to assess the adequacy of foreign laws in all situations where there is no adequacy decision by the Commission yet. Consider now the following situation: what happens if the Commission is in advanced adequacy negotiations with foreign country X and the EDPB declares that this country X does not meet the EU standards of protection? It would be extremely tricky for the Commission to move forward with an adequacy arrangement. As mentioned earlier, the EDPB had expressed its concerns about the Privacy Shield and the “adequacy” of US law – but this was just an opinion expressed. The EDPB might have henceforward the power to “torpedo” a future third agreement with the US by declaring, just before its conclusion, that the US law still does not meet EU standards. Inversely, what is henceforward the need for Article 45 adequacy decisions by the Commission if the EDPB has already declared that a specific country’s surveillance laws are “adequate”? Non bis in idem… The Commission has several reasons to feel frustrated and weakened after Schrems II


There is a final third difficulty: how exactly will assessments of third countries laws by the EDPB be subject to judicial review in the future? We do know how to review the Commission’s adequacy decisions, Scherms I and II are the talking examples of how judicial review works. But what about EDPB adequacy assessments? Are they subject to annulment under Article 263(1) TFEU as “acts of bodies, offices or agencies of the Union intended to produce legal effects vis- à-vis third parties”? It might be interesting to see the CJEU reviewing the decisions of the EDPB in this field.


B. Implications for the European public order


The constitutional implications of Schrems II should not be discussed solely in relation with EU Law. They should also be assessed in relation with the broader “European public order”, which includes the law of the ECHR as interpreted by the ECtHR. It should be recalled in this respect (especially for non-European readers) that protection of fundamental rights in Europe takes place both under EU law (and its Charter of Fundamental Rights) and the human rights instruments of the broader Council of Europe (which includes the 27 EU Member States but also 20 other European States), starting with the ECHR. The concept of the “European public order”, while always a topic of heated debate and divergent views (see here, for instance), permits to capture this idea of broader European constitutional principles in the field of human rights.


As a result of the fact that both the CJEU and the ECtHR constantly intervene on matters concerning fundamental rights, it is no surprise that the CJEU explicitly refers to the case law of the ECHR and vice versa. In a field so important such as the assessment of the compatibility of surveillance laws with fundamental rights, one would expect that the “dialogue of European Judges” would be particularly rich and constructive. Schrems II proves that this is far from being the case.


As mentioned earlier, while the CJEU has rendered some important judgments in relation with surveillance, the ECtHR has, since 1978, a much more extensive case law on these issues. Indeed, the Opinion of Advocate General (AG) Henrik Saugmandsgaard Øe issued in December 2019 in Schrems II mentioned the case law of the ECtHR no less than 41 times! Against this background, how many times did the CJEU mentioned the ECtHR in its July 16, 2020 judgment? The answer is: zero!


This probably reflects a certain degree of frustration of the CJEU with the fact that the ECtHR itself mentioned only in a limited and rather non-influential way the case law of the CJEU in two recent landmark rulings on surveillance. Indeed, the 2018 Centrum för Rättvisa and Big Brother Watch ECtHR judgments refer to the case law of the CJEU but only in the “relevant case-law” part of the judgments (see for instance para. 224-236 of Big Brother Watch), not really in a way that influences the outcome of the Court’s decisions.


But this fact also reflects eventually a more profound divergence of views. As I explained in a separate post in this blog, the two above-mentioned 2018 judgments of the ECtHR seem to indicate a certain departure from the “strict necessity” standard established by the CJEU (and followed by the ECtHR in the 2016 Szabó and Vissy v. Hungary judgment) in favour of a more flexible approach, recognizing a wide margin of appreciation in favour of national authorities in the field of surveillance and endorsing the policy of bulk surveillance as a “valuable means” to protect national security.


A scholar observed that “the relation between the CJEU and the ECtHR has a glorious past and can continue to have a bright future.” In the field of surveillance it will be interesting to see how the “dialogue of European Judges” could evolve and what could be the effects of Schrems II. The ball is now in the ECtHR court as both Centrum för Rättvisa and Big Brother Watch have been challenged by the applicants and are now pending before the ECtHR Grand Chamber with the judgments expected later in 2020.


Conclusion: Towards Data Localization?


Schrems II is an important constitutional judgment with profound implications. It creates a lot of uncertainties about the future of international data transfers. Satisfactory solutions for all stakeholders could be found but, in the meanwhile, guidance by the EDPB about the way forward is urgently needed. The author believes that one of the most urgent tasks should be to provide for centralized and a priori assessments of adequacy. This could be done either by an acceleration of Article 45 adequacy decisions by the Commission or by an active role of the EDBP that should define when and how data transfers can be operated under SCCs in the absence of an adequacy decision. Precisions about the concept of “additional safeguards” are also urgently needed.


It is interesting to note that, without waiting for such developments, some persons in Europe are already calling for data localization as the only credible solution. The declaration of the Berlin data commissioner on July 17, 2020 has been particularly highlighted. The Berlin’s data protection watchdog has called for data currently stored in the US to be relocated to the EU. “Now is the time for Europe’s digital independence,” said the Berlin data commissioner Maja Smoltczyk.


Other scholars noted, however, that keeping all personal data in Europe would be expensive (especially for SMEs) and cause numerous technical problems. But more fundamentally, they said, “it is hard to imagine how multinational companies and services could carry out their business if data entering the EU cannot emerge from it.”


It is interesting to recall, in this respect, that the concept of data localization seems to fall short the European Commission’s objective to “further facilitate international data flows”. The European strategy for data, published on 19 February 2020, stresses, for instance, that “international data flows are indispensable for [EU companies] competitiveness.” Similarly, the Commission notes in its recent Second Review of the GDPR (at page 13) that “synergies between trade and data protections instruments should be further explored to ensure free and safe international data flows that are essential for the business operations, competitiveness and growth of European companies, including SMEs, in the increasingly digitalised economy.”


It remains to be seen if Schrems II will result in more harmonized global data protection standards enabling the creation of solid legal instruments for future international data transfers or, instead, to a limitation of free data flows and data localization solutions, the consequences of which have not yet been adequately studied.


Read more:


Theodore Christakis (@TC_IntLaw) is Professor of International and European Law at the University Grenoble Alpes (France) and a Senior Fellow with the Cross-Border Data Forum. He is a Member of the French National Digital Council and the French National Committee on Data Ethics. He also holds a Chair on the ‘Legal and Regulatory Implications of Artificial Intelligence’ within the Multidisciplinary Institute in Artificial Intelligence (MIAI, France). As an international expert he has advised governments, international organisations and companies on issues concerning International Law, Data Protection and Cybersecurity and he also acts as external Data Protection Officer under the GDPR.


The preceding is republished on TAP with permission by its author, Professor Theodore Christakis and by the European Law Blog. “After Schrems II : Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe” was first published on July 21, 2020 with the European Law Blog.