EU: Analysing Parliament's Schrems II resolution - impact on SCCs, enforcement, adequacy and more
The European Parliament announced, on 20 May 2021, that it had adopted, with 541 in favour, 1 against and 151 abstaining, a resolution1 urging the European Commission to issue guidelines on making data transfers compliant with the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'). The resolution, which arrived ten months after the Schrems II judgment, aims to ensure that the EU's data protection standards are upheld and the requirements of the Schrems II judgment are complied with. In this Insight, our legal experts explore the various recommendations issued by the Member of the European Parliament ('MEPs) through the resolution, analysing the potential impacts on the data protection landscape in the EU, the UK, and the US.
Standard Contractual Clauses
State of play – the existing toolkit of guidance for Schrems II compliance
Further to the CJEU's ruling in the Schrems II case that Standard Contractual Clauses ('SCCs'), though still valid, may require supplementary measures in order to ensure that data transferred to third countries benefits from an essentially equivalent level of protection to that provided under EU law, the European Data Protection Board ('EDPB') issued, on 11 November 2020, its Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data2 ('the Recommendations'). The Recommendations aim to assist controllers and processors acting as data exporters with their duty to assess third countries and identify and implement various supplementary measures, outlining a six-step roadmap and providing a non-exhaustive list of technical, contractual, and organisational measures.
On 12 November 2020, the European Commission launched a public consultation on a set of draft SCCs3, which include a number of clauses designed to address the Schrems II ruling, including an obligation to conduct and document a transfer risk assessment which should be made available to data protection authorities upon request, as well as a requirement for the data importer to notify the data exporter of such requests, review the legality of the request, and ensure that only the minimum amount of information required under the applicable law is provided in response to such request.
Relationship between draft SCCs and supplementary measures
EDPB Chair, Andrea Jelinek, noted, in the 42nd plenary session outcome, that draft SCCs "are not a catch-up solution for data transfers post-Schrems II'' and that "the step-by-step approach of the Recommendations is necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence."4
Subsequently, the EDPB and the European Data Protection Supervisor ('EDPS') adopted, on 15 January 2021, joint opinions on the Commission's draft SCCs5. In particular, the EDPB and EDPS called for clarifications in a number of areas, noting that obligations imposed by the draft SCCs with respect to third country assessments should be aligned with the Recommendations.
Specifically, the EDPB and EDPS, in reference to the clause in the draft implementing decision of the Commission, which provides that organisations should adopt a risk-based approach, taking into account the specific circumstances of the transfer, including subjective factors such as the likelihood of the data importer receiving an access request from public authorities, outlined that third country assessments should be based on objective factors, regardless of the likelihood of access to the personal data.
The EDPB more recently noted, in the minutes of the 46th plenary meeting6, that the Taskforce on Supplementary Measures had made progress analysing the submissions calling for a risk-based approach as well as those stating there was a need for further alignment between the draft SCCs and the Recommendations.
Parliament: guidelines on transfers
Against this backdrop, the resolution highlights the need for guidelines and assistance in order to ensure legal certainty in the application and interpretation of the Schrems II ruling, highlighting that a large number of SMEs make use of SCCs. Further to this, the MEPs noted their concerns about potential conflicts between the Recommendations and the draft SCCs, and invited the Commission and the EDPB to cooperate on the finalisation of their respective documents to ensure legal certainty following the CJEU ruling.
In a press release following the adoption of the resolution7, the Civil Liberties, Justice and Home Affairs ('LIBE') Committee of the European Parliament outlined that, once Parliament's recommendations with respect to SCCs are achieved, businesses and individuals should have at their disposal a toolbox of measures to bring protection up to the level required by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
OneTrust DataGuidance spoke with several EU data protection experts in relation to the timeline and expected changes to the new SCCs.
Jimmy Orucevic told OneTrust DataGuidance, "I expect the new SCCs to be published next week. During a webinar [with Alexander Filip of Data Protection Authority of Bavaria for the Private Sector ('BayLDA')] it was stated that quite some changes were made, but Filip mentioned (which we all expected) that the new SCCs won't be a holy grail." Orucevic further outlined his expectation that "the new SCCs will not be a "quick fix" and it won't get any easier for companies to transfer data to third countries, [although] it certainly will be helpful to have the different modules (i.e. c2c / c2p / p2p / p2c), meaning that the SCCs are more flexible [..] It will also be interesting to see if the EDPB will allow a risk-based approach for data transfers (this was not the case in the draft recommendations). Hopefully, there will at least be some room for such an approach in specific cases."
Dr. Carlo Piltz, Partner at reuschlaw Legal Consultants indicated that he expects that "the Commission will certainly take up some of the EDPB's comments and recommendations [but] would be surprised if all of the EDPB's demands are met." Piltz also predicted that the new SCCs will be released shortly, and "possibly in the next two-three weeks."
In addition, Márton Domokos, Senior Consultant at CMS Cameron McKenna Nabarro Olswang LLP, told OneTrust DataGuidance, "We expect that the Commission will take into due account the resolution as regards to channelling the input received during the public consultation and the feedback from the EDPB. According to EU Commission Deputy Head of Unit for International Data Flows, Ralf Sauer, the Commission has carefully weighed all feedback it received on the draft SCCs during the public consultation phase." Domokos also noted that we should expect a grace period, outlining that "the new SCCs may, at least in part, be substantially different from the draft text proposed in December 2020, e.g. extended period allowing companies more time to transition from the old to the new set of clauses."
Schrems II enforcement
State of play
The Schrems II judgment requires data protection authorities to suspend or prohibit the transfer of data to the third country when the protection required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to the transfer.
Following the Schrems II ruling, a number of supervisory authorities issued statements, with the German Federal Commissioner for Data Protection and Freedom of Information ('BfDI'), for example, commenting that supervisory authorities would have to verify whether each individual data processing activity meets the CJEU's requirements and prohibit exchange of data if the requirements are not met.
On 17 August 2020, Max Schrems' organisation None of your business ('NOYB') announced the filing of 101 complaints in 30 EU and EEA Member States against EU companies that continue to send website visitor data to the US, in alleged violation of the Schrems II judgment. Earlier this month, further to these complaints, NOYB called on the Austrian data protection authority ('DSB') to issue a fine of 4% global turnover, equivalent to just over €6 billion for data flows allegedly in violation of the GDPR and Schrems II ruling.
In addition, the BayLDA issued, on 30 March 2021, a decision ordering a company to cease use of a mailing tool, noting that the company had not examined whether additional measures within the meaning of the Schrems II judgment were necessary in order to make the transfer of data to the US compliant with the Schrems II ruling. In addition, the Portuguese data protection authority ('CNPD') issued a decision, on 28 April 2021, ordering the suspension of the international transfer of census data to the USA, citing the fact that the vendor used for the operationalisation of the census survey was directly subject to US surveillance legislation for national security purposes.
Parliament: national authorities must enforce Schrems II
The resolution criticises the Irish Data Protection Commission's ('DPC') decision to initiate the Schrems court case instead of independently triggering enforcement procedures based on GDPR rules, with the MEPs criticising the DPC's long processing times. Further to this, the resolution calls on the Commission to launch infringement procedures against Ireland for failing to effectively enforce the GDPR.
More broadly, though, the resolution "expresses concerns at the lack of prioritisation and overall scrutiny by national supervisory authorities with regard to personal data transfers to third countries", further outlining that the MEPs "deplore the absence of meaningful decisions and corrective measures in this regard."
Domokos outlined, "Based on these findings, there will likely be a tendency of more scrutiny. To back this view, Alexander Filip […] was very clear that we should expect an increased level of enforcement in the coming months, not in the least due to the high number of complaints regulators receive."
Piltz, in this regard, is in agreement, notably expecting German data protection authorities to take the lead: "It may be that some supervisory authorities feel even more pressure to enforce as a result of this resolution. And therefore carry out audit measures. Regardless of the resolution, however, I expect that in 2021 we will see more extensive ad hoc audits (e.g. with questionnaires) and also individual sanction measures (e.g. after complaints from data subjects). Some German data protection authorities have already announced that the time for companies to examine the consequences of the ruling is now over and that they will have to implement appropriate measures (e.g. agreeing on additional protective measures or suspending data transfers).''
In relation to enforcement, Orucevic specified, "In general I believe that data protection authorities all over Europe will start to enforce Schrems II compliance […] maybe not through fines at first, but they will begin to stop data transfers to the US (see e.g. [the recent enforcement actions from] the CNPD and the BayLDA), which in some cases could hurt more than a fine. The EDPS also just today announced two investigations in the context of the Schrems II ruling. So we can expect lots of investigations regarding third country transfers all over Europe."
Other key aspects of the resolution
Adequacy and Privacy Shield
The resolution highlights that a new adequacy decision with third countries should not be considered without taking into account the implications of EU court rulings and ensuring full GDPR compliance, and specifically calls on the Commission not to adopt any new adequacy decision in relation to the US, unless meaningful reforms are introduced, in particular for national security and intelligence purposes, which can be achieved through clear, legally sustainable, enforceable and non-discriminatory reform of US laws and practices. Further to the same, the resolution calls on national data protection authorities to suspend the transfer of personal data which may be subject to access by public authorities in the US, if the Commission were to adopt any new adequacy decision in relation to the US in the absence of such reforms.
Domokos explains, "The view represented by the CJEU, especially regarding what constitutes adequate level of protection, should be reflected upon in any upcoming adequacy decision. The CJEU found that the Privacy Shield did not guarantee an equivalent level of protection, and this serves as a threshold indication for future third country data transfer frameworks, including but not limited to the US and the UK."
Piltz further elaborated on this aspect of the resolution, highlighting, "From the Commission's perspective, this requirement should not be particularly surprising […] I assume that it will also try to implement the CJEU's requirements in the decisions. Of course, we have to keep in mind that a large part of the CJEU's criticism was not aimed solely at the regulations in the [Privacy Shield] decision, but resulted from the applicable laws in the US. It will be difficult for the Commission to influence this level by means of an adequacy decision alone. This means that in the end the adequacy decision from the EU side can only be a building block for secure data transfers."
Specifically regarding the potential for a successor to the Privacy Shield, Orucevic highlighted that "a Privacy Shield 2.0 is not to be expected any time soon […] since US will not amend its surveillance laws easily and the commission does not want a new regime to be annulled in a Schrems III case before the CJEU." Orucevic further highlighted that, despite positive developments on the state level with, among other state-level legislative developments, the passing of the California Consumer Privacy Act of 2018 ('CCPA') and now the California Privacy Rights Act of 2020 ('CPRA'), "as long as the US does not make changes to its surveillance laws (FISA / EO 12333), the root problem remains."
In addition, the MEPs resolved that it is necessary to support investment in European data storage tools (e.g. cloud service) to reduce the dependence of the Union in storage capacities vis-à-vis third countries and to strengthen the Union’s strategic autonomy in terms of data management and protection.
Domokos highlighted, "Two of the EU's most-debated issues in terms of the Digital Single Market are digital sovereignty and data autonomy, both building upon the concept of data localisation and European data storage. There are promising initiatives, e.g. GAIA-X, the European Cloud. However, under the current circumstances, even with the growing capacity of EU data storage and data localisation, data transfers to third countries remain inevitable. While data localisation could be a step towards GDPR compliance (e.g. GAIA-X, or Microsoft’s new pledge for EU data centres), their success depends on a variety of factors, including technology, IT capacities, and appropriate regulatory framework."
Orucevic, however, outlined, "As long as US companies (cloud providers) potentially have access to clear data (SaaS / support from US), data storage in the EU is not the solution ([as there is] no homomorphic encryption yet). As for data localisation, I believe that (hard) data localisation neither solves the problem of foreign surveillance, nor enhances it personal privacy. Data localisation policies have their own risks and costs. Negative effects could be economic costs, cybersecurity risks, risks of policy inconsistencies and potential human rights implications."
How does the resolution impact EU, UK, and US authorities?
In addition, the resolution was forwarded to a number of public authorities, notably the Congress and Government of the United States of America and the Parliament and Government of the United Kingdom.
Domokos explained, "Parliament resolutions are not binding to the Commission, and certainly not to foreign governments. The Parliament counts on the fact that the Biden administration, through the appointment of an experienced privacy expert as chief negotiator on the successor to the Privacy Shield, will prove more amenable to finding a solution for commercial data transfers between the EU and the US. As regards the UK, Information Commissioner, Elizabeth Denham, stated previously that the adequacy decision will be an "important milestone in securing the continued frictionless data transfers", which could be seen as a sign of commitment to work together with the Parliament and the Commission."
Alexis Galanis Privacy Analyst
Comments provided by:
Jimmy Orucevic Data Protection & Privacy Consultant
Márton Domokos Senior Counsel
CMS Cameron McKenna Nabarro Olswang LLP, Budapest
Dr. Carlo Piltz Partner
reuschlaw Legal Consultants, Berlin
1. Available at: https://www.europarl.europa.eu/doceo/document/TA-9-2021-0256_EN.html
2. Available at: https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
3. Available at: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries_en
4. See: https://edpb.europa.eu/news/news/2020/european-data-protection-board-42nd-plenary-session-presentation-two-new-sets-sccs_en
5. Available at: https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-12021-standard_en
6. Available at: https://edpb.europa.eu/system/files/2021-04/20210309plenfinalminutes46thplenarymeeting_public.pdf
7. Available at: https://www.europarl.europa.eu/news/en/press-room/20210518IPR04206/data-protection-meps-call-for-clear-guidelines-on-transfer-of-data-to-the-us