A two-minute global status update two and a half months after the Schrems II judgment of the CJEU: we are still in the dark, but there is hope for light at the end of the 2020 tunnel. Here are the main events since the judgment:
- Desperately Seeking Guidance: We are still waiting for definitive guidance from the EDPB, which issued FAQs setting out a clear summary of the judgment but did not offer much in terms of practical advice or an outlook for a stable framework to transfer personal data outside the European Union.
- Germans Not Wasting Time: Unable to wait for the EDPB, a German state data protection authority (the Baden-Württemberg Commissioner for Data Protection and Freedom of Information) issued concrete guidance which, while not binding on other authorities, may inspire others to do the same. In a bold move, it also gives recommendations for a revised set of standard contractual clauses (SCCs).
- Playing “Whack-A-Mole” in Ireland. As a direct consequence of the Schrems II judgment, Facebook had to immediately stop relying on the Privacy Shield and attempted to use SCCs to transfer personal data from its Irish to its U.S. companies. The Irish Data Protection Commission issued an order blocking that transfer, but Facebook obtained that this decision be temporarily stayed by Ireland’s High Court until it is reviewed by the court in November. In the meantime, Facebook appears to have again switched grounds and to now be transferring personal data from Ireland to the United States on the basis of article 49(1)(b) of the GDPR (claiming that the transfer is necessary for the performance of its contracts with individual clients). Unsurprisingly, Max Schrems is disputing that move as well.
- Cruella De Vil and 101 Complaints: None of Your Business (an organization with strong ties to Max Schrems) launched 101 complaints to stop certain transfers of personal data to the United States, and also exercised data subject access requests to survey main tech players on how the Schrems II judgment changed their international data transfer practices, but these efforts did not yield much results or traction yet.
- Join the Club: Data protection authorities in Switzerland and Israel both followed the CJEU’s lead and declared the privacy shield no longer a valid ground to transfer personal data to the United States. This may inspire others in the “club” of countries that have adopted a data protection regime that is similar to, or compatible with, the GDPR to further scrutinize data transfers to the United States.
- The Empire Strikes Back: The U.S. administration only recently fought back by publishing a white paper explaining that the CJEU failed to take into consideration certain pro-privacy features of its legal regime, and giving arguments to data exporters in the European Economic Area wishing to use SCCs to transfer personal data to the United States. A call for clarity quickly followed.
- Announcing a Christmas Miracle: While talks between the European Commission and the U.S. Department of Commerce are underway “to evaluate the potential for an enhanced EU-U.S. Privacy Shield”, a more realistic option in the short run comes from the announcement by Executive Vice President of the European Commission Margrethe Vestager that revamped sets of SCCs will be issued before the end of the year. As ambitious as this may sound, the commissioner herself recognized that this would only be an “intermediate solution”. A permanent one may come from efforts to achieve a federal data privacy regime in the United States, but it is safe to predict that no such legislative framework will see the light of day in 2020.