On September 3, 2020, The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the LIBE Committee), met to discuss the future of future of EU-US personal data flows following the Schrems II decision. In particular, the session was attended by Max Schrems, EU Commissioner for Justice Didier Reynders, and Andrea Jelinek (head of the European Data Protection Board – ‘EDPB’).
This blog post paraphrases some of the key statements which were made during the session. They are not presented in order.
Commissioner for Justice Didier Reynders
- The Commission will focus on 3 main areas:
- Working closely with the EU Data Protection Authorities (‘DPAs’) to provide companies with guidance and support. Their responsibility has been ‘highlighted’ and ‘strengthened’ by the decision of the Court of Justice of the European Union (‘CJEU’) in the Schrems II case.
- Modernization of the Standard Contractual Clauses (‘SCCs’) – The adoption process for the modernized SCCs will be launched in the coming months, and Reynders hopes to finalize the SCCs this year.
- Discussions with the US – Reynders emphasized the fact there is no quick fix, but he underlined that the EU Commission has initiated discussions for a strengthened framework. The discussions with the US are both technical and political. The EU Commission will also examine the need for legislative changes in the US. Given domestic US debates on privacy and limitations on US surveillance, there are now more viable solutions than there were at the time the Privacy Shield was negotiated.
- The improvements in respect of the modernized SCCs include:
- Updating the SCCs in light of GDPR’s new requirements (e.g., the Article 28 mandatory processing clauses and the GDPR’s transparency obligations);
- Addressing transfer scenarios not yet covered (e.g., EU processor to non-EU sub-processor);
- Better addressing transfers where there are multiple importers and exporters, and where there are complex chains of personal data transfers; and
- Taking into account the Schrems II decision.
Andrea Jelinek (Head of the EDPB)
- The EDPB will do its utmost to ensure consistency across the EEA in the treatment of personal data transfers.
- The EDPB will in the coming weeks and months:
- Review and update EDPB documents in relation to personal data transfers in accordance with the Schrems II decision; and
- Prepare recommendations to support controllers and processors to identify legal, technical and organizational measures to meet the obligation to ensure ‘essential equivalence’ of EU protections when transferring personal data, based on their situation.
- The 101 complaints made by Schrems in respect of Google Analytics and Facebook Connect were made in such a way that each DPA in the EU has at least three cases to deal with. The EDPB has established a task force in respect of these complaints and the national DPAs will be working more closely than they have done before.
- We (in the west) should come together to see if the western world has a common understanding about data protection and how to protect fundamental rights of citizens.
Please note that Schrems’ views are his only. We summarize them here as he offered them without endorsing or challenging them.
- Schrems argued that there is a fundamental legal clash between the EU Charter of Fundamental Rights and the US Foreign Intelligence Surveillance Act (‘FISA’): a clash between privacy and surveillance. An executive agreement cannot remedy the clash, in his view. Since the EU Charter will not be changed, Schrems concluded that US surveillance law must change (which is possible, given that it was changed after the Snowden reports).
- In his view, the SCCs are not usable ‘for companies which fall under US surveillance laws’ – that is, companies which fall under section 702 of FISA (i.e., electronic communications service providers). It is a question of looking at the ‘details’ of US law. He does not think that all personal data transfers to the US are problematic. Hence a transfer of personal data in the context of a hotel booking could be possible, but using a US cloud service provider may not be possible because such service providers usually fall under FISA.
- Supplementary measures can be of use in the case of personal data transfers where personal data is under surveillance in transit. In that situation, Schrems’ opinion is that good encryption could overcome the issue of surveillance. If the personal data is then stored and processed in the US by a company falling under surveillance laws, then Schrems believes that the measure may not help.
- Supplementary contractual measures could help to a degree in respect of surveillance in the context of US Executive Order 12333. Schrems provided the example of including a clause which levies a heavy penalty if the service provider voluntarily hands over personal data to US authorities.
- Schrems noted that he received correspondence this week from the Irish DPC which leads him to believe that the Irish DPC will not enforce the Schrems II case for (in his estimation) the next 1-2 years. There are then three layers of appeal and so the case may take some time be settled. Schrems indicated that he may be able to provide more detail soon about the letter he received.
- The solutions as Schrems sees them are as follows:
- Short term, clarifications are needed on the data transfer ‘derogations’ under Article 49 GDPR. This is because Facebook appears to be relying on the derogations to justify transfers. Clarification is also needed on whether section 702 of FISA applies in respect of server farms located in the EU. He believes that storing personal data in the EU does not help with the issue of section 702 of FISA;
- Medium term, reform is needed of FISA 702 in the US; and
- Long term, we need a common understanding within the west as to how far surveillance online should go. In the EU, there is still a fragmented/ national approach. An approach is needed amongst western countries whereby fundamental rights are respected regardless of citizenship.
- Schrems and his non-profit organization None of Your Business (‘NOYB’) are looking into enforcing the GDPR against processors directly (e.g., big tech companies). His argument is that EU Controllers don’t necessarily have the power to check and control companies like Google. Often, the real power is held by the processor (which is at odds with the controller-focused approach of the GDPR).
- His thoughts on potential US law changes are as follows:
- One possibility to overcome current problems with the lack of redress for EU citizens under US law would be to change US law to provide for ‘delayed notice of surveillance’. This would allow individuals to have standing under US law.
- In terms of material law, (i.e., when individuals can be subjected to surveillance), one solution would be to give EU citizens equal protections under US law to those provided to US citizens.
- Service providers could modify their arrangements so that processing takes place in the EU. Companies in some cases already have infrastructure located in the EU (for technical and latency reasons), but in Schrems’ view, the issue is that those operations are still connected to the US.
- Schrems argued that another ‘business-friendly’ solution would be to create a ‘European self-certification’ approach, based on the SCCs. The relevant provisions would be placed into terms and conditions and be as legally binding as the SCCs. This approach is easier as it does not involve negotiation with the US or any other country.