Written by Raymond Faber and Elisabeth Guissart, Avocats à la Cour

Published on 15.10.2020 - Paperjam

Nothing seems to stand in the way of this young Austrian activist, who likes to take legal action against FACEBOOK that seems to be "lost in advance". Not with Max!

Max Schrems, a fervent defender of personal data, has twice succeeded in doing the unthinkable. The first time was in 2015, when he had the so-called "Safe Harbor" agreements invalidated in a dispute with Facebook before the Court of Justice of the European Union (ECJ), the purpose of which was to regulate the transfer of personal data from the European Union to the United States.

Following the Schrems ruling, new, highly controversial agreements were drawn up between the European Union and the United States ("Privacy Shield" [1] ) to ensure the legality of these transfers to the United States. But, bis repetita, three months ago, with the so-called "SCHREMS II" judgment [2] , these agreements were once again invalidated for not giving appropriate guarantees to the persons concerned by a level of protection substantially equivalent to that guaranteed within the European Union and for not guaranteeing that the persons concerned have enforceable rights and effective legal remedies, in particular, in the case of the United States, against its omnipotent external intelligence services or against the American public authorities in general.

Okay, now what?

While the EJC's decision fortunately does not prohibit all data transfers outside the European Union, it does bind them to certain conditions (e.g., adequacy decision (see below), appropriate safeguards (with "additional measures" to the standard contractual clauses (SCC)), the characteristics of which are not all clear at this time. The European Data Protection Board (EDPD), which brings together the national data protection authorities, is currently working on guidelines to help companies, first, in understanding what "additional measures" may be and, second, in implementing them. In this context, the EDPD has also published a FAQ [3] giving interesting indications on the impact of the SCHREMS II ruling.

The easiest solution, in this case for data transfers to the United States, would probably be for the European Commission to decide by way of an adequacy decision [4] that the latter ensures an adequate level of protection (to that of the European Union). However, such a decision is only theoretical and would be politically more than foolhardy, as the CJEU has unambiguously found that, given the legislation of the United States, this level of protection is not currently given. It is seriously doubtful that the US will change its approach to please the Europeans.

What impact will this have on my choice of service providers, my data processing register and my information notices?

The first observation is that the responsibility for transfers of personal data outside the European Union now rests more than ever on the data controller, who must surround this transfer with a large number of contractual, organizational and technical guarantees.

However, going back to the case of the United States, it is very difficult to imagine how these guarantees could be stronger than the desire of a State to access data from all over the world collected by its nationals and to use them for surveillance and control purposes.

In the absence of European and national guidelines, data controllers (and processors) will, for the time being, have no choice, if they are currently transferring personal data to the United States (or to U.S. companies), but to thoroughly review their registries, change their service providers if necessary, and adapt their information notices, while waiting to cement their contracts with the additional measures that the GDPR will have defined.

And to think that companies thought they had reached the end of the tunnel!

Thanks Max?

Thank you Max!

[1] Decision 2016/1250 on the adequacy of the protection provided by the EU-US data protection shield [2] ECJ 16 juill. 2020, DPC c. Facebook Ireland Ltd et M. Schrems, case C-311/18 [3] https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_faqs_schrems_ii_202007_adopted_fr.pdf [4] https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_fr

The image above is under license CC BY 2.0