After Schrems II : Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe – Part One

By TAP Guest Blogger

Posted on July 23, 2020


Share

This is the first of a two-part post from TAP guest blogger, Professor Theodore Christakis, University Grenoble Alpes. “After Schrems II : Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe” is republished with permission.

 

In this first part, Professor Christakis discusses the uncertainties created by the Schrems II judgment for the future of international data transfers. Part two [to be posted tomorrow] will examine the constitutional implications, not only for the EU, but also for greater Europe.

 

Introduction

 

The judgment issued by the Court of Justice of the EU (CJEU) on 16 July 2020 in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), is without doubt a constitutional judgment. It affirms strongly the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries dealing in a comprehensive way with the issue of government access to data not only by the United States (US) but also by any other country. By doing so it creates a lot of uncertainties on the legal basis of future data transfers from the EU to other countries. And it also has important constitutional implications for the European public order.

 

This article will not discuss the facts of the case or the arguments used by the Court in relation with the Privacy Shield arrangement or Standard Contractual Clauses (SCCs). This has already been done in this blog in the excellent analysis published last Friday by Christopher Kuner. Similarly, a series of very interesting comments have been published since last Thursday ranging from Max Schrems’ Noyb Organisation’s first reactions, to US perspectives on the judgment proposed by Peter Swire, Jennifer Daskal or Kenneth Propp and Peter Swire.

 

The objective of this article will be to offer some complementary thoughts and perspectives focusing on the uncertainties created by the judgment for the future of international data transfers (Part I) and the constitutional implications not only for the EU but also for greater Europe (Part II).

 

I. Schrems II Places International Data Transfers in a Legal Limbo

 

At a theoretical level, Schrems II appears as a strong constitutional confirmation of the importance to build a solid, comprehensive and coherent regime of protection of European personal data transfers – including against governmental access to such data. In practice, however, the judgment creates a lot of uncertainties about the legal basis for future data transfers from Europe to the US and the rest of the world. The huge challenge after Schrems II will be to define how to reconcile theory with practice.

 

A. In Theory Schrems II Proposes a Holistic and Coherent Regime of Protection

 

From several points of view the CJEU remains faithful to itself. As Kuner rightly noted, “the holdings of the Schrems II judgment are not unexpected”. Indeed, people familiar with the case law of the CJEU know that the Court has adopted, over the last years, a very strong stance in favour of data protection, whatever the practical consequences of this. For the Court, it is for the law to govern technology, not the other way around. Governments, corporations and other stakeholders thirsty for data must find solutions to fit with the theoretical framework of strong data and privacy protections proposed by the Court on the basis of EU relevant law.

 

In the 2014 Digital Rights Ireland judgment the CJEU declared invalid the Data Retention Directive and in the 2016 Tele2 Sverige and Tom Watson and Others judgments, the Court imposed severe limitations on data retention regimes decided by EU governments despite knowing that this would infuriate law enforcement agencies around Europe.

 

In 2006 the CJEU annulled the 2004 Passenger Name Record (PNR) Agreement between the EU and the US obliging the two parties to renegotiate a new Agreement. Similarly, in Opinion 1/15 issued in 2017, the CJEU objected to the entry into force of the EU/Canada PNR Agreement, insisting that there should be very strict rules as to the concrete implementation of surveillance laws, leading, once again, to a time-consuming renegotiation of this Agreement. Schrems I, in 2015, led to the invalidation of Safe Harbor. Against this background, Schrems II represents, as Kuner noted, “a continuation of the Court’s approach to the regulation of international data transfers rather than a radical departure from it.” From several points of view Schrems II goes far beyond Schrems I by completing the theoretical regime of protection of data transfers in a way that would permit to avoid further circumvention of the standards of the GDPR. Indeed, while Schrems I only invalidated the Commission’s adequacy decision with the US, Schrems II is not just about invalidating the Privacy Shield. As it will be shown later on, the CJEU insists that all relevant stakeholders must ensure that the same standards of protection of European personal data apply in relation to transfers operated using other legal means, starting with SCCs.

 

Theoretically, this is a rather logical development to ensure a consistent and comprehensive legal regime. As Omer Tene noted, the use of SCCs has been criticized to be a “mere formality” or “a legal fiction”. “Never once in memory have they been pursued or enforced in a court of law. Perhaps this will now change.” Indeed, Schrems II highlights that SCCs are logically subject to the same standards of protection as other means for transfers. It is no longer sufficient for companies to “copy and paste” the SCCs template, “washing their hands” for what happens afterwards if a foreign intelligence agency accesses the data. As noted by Thomas Streinz, “a contractual guarantee is insufficient if another country’s law requires or allows for access to personal data contrary to GDPR guarantees.” Data controllers, under the control of Data Protection Authorities (DPAs), need to ensure effectiveness in practice.

 

This development also permits to ensure fairness in the treatment of foreign EU partners. Indeed, one of the major objections against an invalidation of the Privacy Shield formulated by US scholars ahead of Schrems II this could lead to an absurd and unfair situation which consists in “prohibit[ing] transfers of data to the US, which has numerous legal safeguards characteristic of a state under the rule of law, while allowing such transfers toward China, where the protection of personal data vis-à-vis the government is essentially non-existent”.

 

By clearly saying that data controllers and DPAs need to ensure that the same standards of protection apply irrespective of the legal basis used for data transfers, the CJEU avoids the “double standards” pitfall and ensures the theoretical coherence and fairness of the legal regime.

 

Seeing the things from a rather European and idealistic perspective, one author said that “the CJEU is steering us – as it has always done – in a direction of travel which seeks a balanced approach to Government access to data rooted in democratic principles and effective remedies for individuals”. Indeed, still theoretically and with a pinch of European legal imperialism, one could hope that Schrems II could have the welcome effect of realizing the European Commission’s goal to “promote convergence of data protection standards at international level, as a way to facilitate data flows and thus trade” (as expressed in the recent assessment of the GDPR at the occasion of its second anniversary, at page 12).

 

Coherent and protective as all this sounds at a purely theoretical level, it leads to huge difficulties and uncertainties in practice.

 

B. In Practice It’s Uncertainties Time: The Show Must Go On, But… How?

 

Five years ago, in Schrems I, the CJEU struck down the EU-US Safe Harbor amid concerns about US government access to data, and several commentators thought that this was the end of the digital world. However, as Omer Tene notes, “the next day, the sun rose in the east, and data transfers went on”. Will this time around be any different? Omer Tene ventures to guess, “no”. Even after Schrems II, “data will continue to flow across borders, including from Europe to the US. … The internet, after all, will not break. The show must go on.”

 

While this seems as a reasonable statement, the big question is “how”. Schrems II creates at least nine huge uncertainties about the future of international data transfers.

 

1. Uncertainties over a Grace Period for Privacy Shield

 

The US authorities noted (see here and here) that, as a consequence of Schrems II, more than 5,300 European and US companies, large as well as small, no longer may rely on the Privacy Shield as a basis for transferring personal data from Europe to the US.

 

Immediately after the judgment, a representative of tech lobby BSA/The Software Alliance called on DPAs to release guidance and to hold off enforcing the ruling for a grace period. This was based on the argument that after the Schrems I judgment, DPAs provided a period for transition and at a practical level companies that were relying on the Safe Harbor Framework were allowed to continue data transfers on that basis until the new Privacy Shield came in force in 2016.

 

However, it is at least unclear whether such a “grace period” could be accorded again and this for several reasons:

 
  • First, this happened before the conclusion and the entry into force of the GDPR which introduced even stronger safeguards on data protection and data transfers.
     
  • Second, Schrems II appears as a disapproving affirmation that things have not been done properly after Schrems I, leaving little space for further flexibility and delays by DPAs.
     
  • Third, the Court leaves little room for such an interpretation. Indeed, para. 202 of the judgment considers that it is not “appropriate to maintain the effects of that decision for the purposes of avoiding the creation of a legal vacuum” because, in any event, derogations under Article 49 GDPR can be used for necessary data transfers to the US.
     
  • Finally, the European Data Protection Board (EDPB) did not mention such a possibility in its first statement on Schrems II, while some DPAs in Germany took the position that “there is nothing” in the judgment or the GDPR “about possible grace periods or some kind of moratorium.”
     

Of course, as noted by Propp and Swire, who rely on EU government practices after some CJEU judgments on data retention: “in light of the slow pace of EU rulings and begrudging compliance by member states, one strategy for companies in the face of Schrems II may be to continue with business as usual and wait and see if consequences follow.” There is nonetheless a huge difference between the data retention cases and Schrems II. In the former, the eventual non-compliance with CJEU judgments was due to the attitude of governmental authorities in some sovereign EU Member States. Schrems II, by contrast, concerns companies and data controllers who might be, as Propp and Swire rightly warn, subject to huge fines (up to 4% of yearly turnover) by DPAs if they violate the GDPR.

 

As a result, and unless the EDPB or DPAs clearly open a “grace period” window, over 5,300 companies using the Privacy Shield should take steps to switch to another legal basis for data transfers to the US.

 

2. Uncertainties about the Prospects of a Safe Harbor 3.0.

 

The best solution would be, of course, for the EU and the US to negotiate a new, third, arrangement that will replace the Privacy Shield. There could be two ways to do this.

 

The first way would be to go for a “quick fix” taking the risk that the CJEU could invalidate in the future for a third time such an EU-US new arrangement, whatever its name this time. After all, it took just eight months between the invalidation of Safe Harbor by Schrems I on October 6, 2015, and the Privacy Shield adequacy decision adopted by the Commission on July 12, 2016. The Privacy Shield has, of course, been criticized since then by several actors, including, most notably the EDPB (see here and here) but it took four whole years for the Court to strike it down and this provided a valid legal basis for data transfers to the US by more than 5,300 companies during this time. “Quick fixes” allow the “show to go on”.

 

Nevertheless, it is hard to see how the European Commission and the US could enter this time into such a “quick fix” approach playing “cat and mouse” with the CJEU. The second consecutive invalidation of the Commission’s adequacy decision has important legal and political significance and raises the bar for the Commission to “do things right” this time. Engaging in a “quick fix” strategy that does not meet the requirements of the Court could be seen as cynical and raises huge criticism against the Commission. As a commentator wrote: “There isn’t going to be a third Potemkin data deal.”

 

The second, and much more credible way to advance, would be to try hard to address the main issues raised by the CJEU and conclude a long-lasting EU-US arrangement providing a valid legal basis and legal certainty for years to come.

 

For a European observer this should not be “mission impossible”. When one reads the judgment carefully, it should not be impossible to deal with the Court’s main objections. Indeed, Schrems II does not seem to challenge the US powers of surveillance as such, but rather the lack of necessary safeguards and remedies in relation with these powers. Schrems II does not include the harsh criticism against surveillance appearing in Schrems I where the CJEU clearly stated that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter” (para. 94). Instead, it focuses on issues such deficiencies in the Privacy Shield Ombudsman mechanism or lack of effective remedies in the US by EU data subjects which have been pointed for years as problematic by various actors, including the EDPB (see links above).

 

Of course, several US and other commentators have expressed their pessimism about any chance that the US political economy will allow for a re-calibration of US law at the expense of surveillance capabilities, while extending US protections to foreigners has been presented as an “anathema to US law". Similarly, US authorities have declared that it is neither “advisable nor possible” to consider an overhaul of surveillance powers in the short term.

 

Beyond specific arguments, one could also note the general frustration on the US side with a situation that resulted in a second major judicial assessment by a European Court in five years that US surveillance laws do not meet European human rights standards and need to be reformed. However, one should recall that this situation is far from being unusual and that the US government itself conditions several of its actions by an assessment of whether laws of foreign countries meet some necessary requirements, including human rights standards. One recent, important and particularly relevant example is the CLOUD Act adopted in March 2018. The second part of the CLOUD Act enables the US to conclude “executive agreements” with some qualified foreign governments, permitting the latter to access the content of (some) communications held by US service providers. But the conclusion of such an agreement is strictly conditioned by the fact that each “foreign government” must be “certified” by the Attorney General, with the concurrence of the Secretary of State, as affording “robust substantive and procedural protections” for privacy and civil liberties in its “domestic law,” among multiple other requirements. Indeed, the US Government recently “certified” that the UK meets such requirements, enabling the UK-US CLOUD Act Agreement to enter into force on July 8, 2020, just a few days before Schrems II.

 

It is thus to be hoped that, when the Schrems II dust settles down, experts from the two sides of the Atlantic will work together to present creative and innovative ideas, and that the EU and the US will engage in constructive negotiations in order to conclude, as soon as possible, a long lasting, solid and Court-proof arrangement for transatlantic data transfers.

 

3. Uncertainties about the UK Adequacy Decision

 

While the immediate consequence of Schrems II was the invalidation of the EU-US Privacy Shield, an indirect consequence of the judgment could be to complicate a future EU-UK adequacy decision. The UK has particularly powerful surveillance laws and powers and has been condemned several times by the European Court of Human Rights (ECtHR) for not meeting the standards of the European Convention of Human Rights (ECHR) which, one could argue, might be somehow lower than the ones set by the CJEU (see infra).

 

The latest condemnation of UK surveillance laws by the ECtHR intervened on September 13, 2018, in the Big Brother Watch and Others judgment (discussed in this blog), which found that the techniques of massive interception of communications practiced by the British intelligence agency GCHQ violate two important rights of the ECHR: Article 8 (protection of privacy) and Article 10 (freedom of expression, given the lack of safeguards for the protection of journalists).

 

This case has been deferred to the Grand Chamber of the Court by the claimants who consider that the ECtHR did not go far enough in the condemnation of UK surveillance powers. The Grand Chamber held hearings in July 2019, with the judgment being expected in the coming months.

 

At the same time a new case brought by Privacy International and Others against the UK challenges the new UK Intelligence Services Act.

 

If the ECtHR finds in these two cases that the UK surveillance laws do not meet the standards of the ECHR, it could be extremely difficult for the Commission to declare that the UK meets the – even stricter – standards of EU Law, as interpreted by the CJEU. An adequacy decision adopted by the Commission despite such ECtHR condemnations, might be quickly challenged before the CJEU.

 

4. Uncertainties about the Future of Other Adequacy Decisions

 

But it is not just the future EU-UK adequacy decision that is at risk. Let’s recall that, beyond the US, the European Commission has already adopted adequacy decisions for Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. Adequacy talks are also ongoing with South Korea.

 

It would be interesting to follow future developments, including the Commission’s periodic reviews or eventual legal challenges at the CJEU, in relation with some of the past adequacy decisions, especially the one with Israel – a country that conducts extensive surveillance for national security purposes – potentially running afoul of the CJEU’s standards.

 

5. Uncertainties on the Continuous Use of SCCs

 

Probably the most important uncertainty following Schrems II concerns the future use of SCCs for data transfers to the US (and other countries).

 

As the EDPB explained,

 

“while the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter […] shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country.”

 

If the protections offered in the third country are not enough and the exporter is not in a position to put in place “additional measures” (see infra, point 6) to remedy this problem, then the data transfers must cease. DPAs are invested with the task to control the whole process and can suspend or prohibit the transfer of data to a third country pursuant to SCCs, if, in their view the laws of the third country do not meet the EU legal standards and there is no other way to ensure protection of the data concerned.

 

For countries other than the US, which do not benefit from an EU “adequacy decision”, SCCs might remain for some time the main tool for data transfers. However, this will imply henceforward as assessment of whether the importer’s country has “equivalent with the EU” legal protections in place. Needless to say, this assessment, under the control of DPAs, could shut down data transfers to an important number of States (starting with China and Russia) whose legal systems offer substantially less guarantees than the US in relation with government access to data. Indeed, one can hardly imagine how personal data transfers to China could continue via TikTok or other companies after Schrems II.

 

As for the use of SCCs in order to transfer data to the US, it already appears “questionable” (to cite the Ireland's Data Protection Commission) following the CJEU’s centralized and authoritative conclusion that US laws do not offer adequate protections. In reality, there are only two ways to continue using SCCs for data transfers to the US.

 

The first possibility is to demonstrate that some categories of data transferred and some data recipients are not concerned by US surveillance laws. Omer Tene has noted, for instance, that “US Foreign Intelligence Surveillance Act Section 702, Executive Order 12333 and Presidential Policy Directive 28 concern communication service providers, not retailers, manufacturers, health care or pharma companies, or the thousands of companies that use SCCs to export employee data to headquarters in the U.S. This means that the vast majority of companies can use SCCs in transfers to the US.” However, as other commentators noted, this “theory is untested, and it is far from clear which EU regulatory authority can provide comfort that such transfers are lawful.” Indeed, it could be a probatio diabolica to show that the data transferred on the basis of SCCs cannot be subject to US surveillance. In any case this would be almost impossible for companies that transfer contents of communication such as telecom and cloud providers or companies using services by such providers.

 

The second possibility, to which I will immediately turn, concerns the possibility to use the mysterious concept of “additional safeguards”.

 

6. Uncertainties about the Meaning of “Additional Safeguards”

 

In several paragraphs of Schrems II, the CJEU hints to the possibility that, even if the laws of the importer’s country do not offer an “adequate” and “equivalent” level of protection in relation with government access to data, international transfers could still take place if the data controller puts in place “additional safeguards” (para. 134) or “additional measures” (para. 135), or “supplementary measures” (para. 133) or “effective mechanisms to make it possible in practice” (para. 137) to ensure the protection of the data transferred by other means. While the term “additional safeguards” already appears in recital 109 of the GDPR, it remains rather mysterious, especially in the context of the Schrems II judgment.

 

If one considers, for instance, that one of the main concerns of the Court was that the US system of surveillance does not offer effective judicial remedies to EU citizens, it is hard to imagine how any “additional safeguards” introduced by the data controller could change this.

 

Technical “additional safeguards” could indeed prove effective, if possible from a practical point of view. Companies could, for instance, encrypt data in transit in the US applying the strongest encryption protocols possible. Indeed, Schrems II could greatly enhance proponents of end-to-end encryption and other encryption techniques (and, at the same time, inversely increase already existing problems for law enforcement, especially in relation with end-to-end encryption!). Still, it remains to be seen whether encryption is always relevant and possible from a technical point of view and what would be the response to the argument that the NSA might have great capabilities in terms of deciphering encrypted data.

 

Beyond technical “additional safeguards”, one could ask if there might be additional legal safeguards. Daskal suggests that companies might challenge — and demand individual reviews of — all intelligence community demands for EU citizen and resident data. But as she acknowledges, “there is no guarantee that the companies will win such challenges; they are, after all, ultimately bound by US legal obligations to disclose.”

 

The EDPB itself seems to remain puzzled by the mysterious “additional safeguards” concept. In its initial statement it provided no guidance in this respect, just saying that it “is looking further into what these additional measures could consist of.” Its future guidance in this field is eagerly expected.

 

7. Uncertainties about the Use of BCRs as a Silver Bullet

 

Hogan Lovells suggested, after Schrems II, that “given the specific protections included within Binding Corporate Rules [“BCRs”] to address the issue of data disclosures to government agencies and the high degree of scrutiny undertaken prior to their approval, [BCRs] will likely emerge as a most solid mechanism available to legitimize global data transfers.” Similarly, Wiley presented BCRs the “gold-standard” of data transfer mechanisms.

 

BCRs are provided for by Article 47 GDPR and present the interest to be approved a priori by the competent supervisory authority providing legal certainty for future data transfers. However, their generalization after Schrems II is confronted with two obstacles.

 

First, their negotiation and implementation can take years and is particularly onerous. As a result, BCRs are only used by large companies with wide-ranging data transfer obligations. Of course, one could imagine that if BCRs prove to be the magic bullet after Schrems II, SMEs with common activities and interests could try to form groups in order to reduce costs and undertake together the negotiation of BCRs.

 

However, there is a second obstacle to the use of BCRs: they will be met by exactly the same difficulty as SCCs, namely that the transfer in both cases will be impossible if the third country’s laws do not meet the EU protection standards. Indeed, Kuner rightly observes that the Schrems II protective standard “presumably also applies to other appropriate safeguards under Art. 46 (such as BCRs), which will raise the bar for them as well.” The essentially equivalent level of protection standard applies to all legal mechanisms of transfer, not just SCCs.

 

8. Uncertainties about the Use of Article 49 Derogations

 

As mentioned above, the Court in para. 202 of Schrems II refused the idea of a legal vacuum following its judgment, suggesting that Article 49 GDPR “details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR.”

 

Taking into consideration the uncertainties mentioned in the analysis above, companies might be tempted to use the derogations of Article 49 as an ultimum refugium transfers to the US. However, this would be pretty much problematic.

 

As a matter of fact, the EDPB has cautioned in two different recent occasions that Article 49 derogations are not meant to be used for “routine”, “systematic” or “ongoing” transfers. Both in its Guidelines 2/2018 on derogations of Article 49 under the GDPR, adopted on May 25, 2018 and in its Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data, adopted on July 10, 2019, the EDPB stressed that Article 49 derogations, as any derogations, must “be interpreted strictly so that the exception does not become the rule.” The EDPB emphasized that

 

“even those derogations which are not expressly limited to ‘occasional’ or ‘not repetitive’ transfers have to be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place.”

 

This position shuts somehow the door to attempts to use Article 49 derogations as a substitute to systematic data transfers based on the legal basis of Articles 45, 46 or 47 GDPR.

 

Still, pending better alternatives, companies might certainly be tempted by some Article 49 derogations and, especially, the one based on “explicit consent”. It would not be surprising if in the future companies require explicit consent from users in order to proceed to international data transfers which, in turn, presupposes to inform them that their data will be transferred to a country that does not provide adequate protection. Users could then find themselves compelled to consent in order to use a specific service (such as a social network). This would create an unwelcome situation that should definitely be addressed by the EDPB.

 

9. Uncertainties about Codes of Conduct and Other New Options

 

Christopher Kuner suggested that, taking into consideration all these uncertainties, “one idea could be to develop codes of conduct or certification mechanisms together with enforceable commitments covering US data flows as foreseen under Article 46(2) GDPR.” He notes that “codes of conduct and certification mechanisms as a legal basis for data transfers have not been approved under the GDPR thus far, but seem worthy of investigation as potentially a new way forward.”

 

It would be interesting to have more precisions about this suggestion which creates new uncertainties. Indeed, taking into consideration the fact that the “Schrems II standard” applies, as stressed by Kuner, not only to SCCs but to all legal tools for data transfers, it is hard to imagine how codes of conduct or certification mechanisms could work any better than SCCs and permit to address the problem of the absence of equivalent protection in the country of destination.

 

Read more:

 

Theodore Christakis (@TC_IntLaw) is Professor of International and European Law at the University Grenoble Alpes (France) and a Senior Fellow with the Cross-Border Data Forum. He is a Member of the French National Digital Council and the French National Committee on Data Ethics. He also holds a Chair on the ‘Legal and Regulatory Implications of Artificial Intelligence’ within the Multidisciplinary Institute in Artificial Intelligence (MIAI, France). As an international expert he has advised governments, international organisations and companies on issues concerning International Law, Data Protection and Cybersecurity and he also acts as external Data Protection Officer under the GDPR.

 

The preceding is republished on TAP with permission by its author, Professor Theodore Christakis and by the European Law Blog. “After Schrems II : Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe” was first published on July 21, 2020 with the European Law Blog.


Share