EU-US Privacy Shield – is Schrems II the final nail in the coffin?

In the immediate sense, the answer is obviously ‘yes’: the Schrems II CJEU decision invalidated the EU-US Privacy Shield and put some 5,500 US entities and many more EU organisations that are exporting personal data to the US in a position where that activity is suddenly illegal.

The question for those organisations is: ‘what do we do now? Do we wait for the authorities on both sides of the Atlantic to create a replacement for the EU-US Privacy Shield or do we have to do something else?’

I think they have to do something else. The Schrems II decision turns on a fundamental conflict between EU and US law: the US allows a far greater level of government data surveillance, with far less individual legal redress available, than does the EU law; no redrafting of the Privacy Shield mechanisms can hide that basic fact. Unless the US – or the EU – or both of them – change their laws significantly, then I’m sure that Max Schrems would bring a case against any Privacy Shield replacement and what will then be the Schrems III decision will also declare that replacement mechanism invalid.

The only remaining alternative to the now defunct Privacy Shield is Standard Contract Clauses (SCCs) – but the Schrems II decision put users of SCCs on notice that they need to ensure that the jurisdiction of the data destination provides equivalent individual protection as does the EU and, obviously, the US does not. This means that SCCs on their own will be an inadequate legal basis for EU-US data transfers. The Schrems II judgement does, however, point out that SCCs could be enhanced; that transferring controllers could take further measures than the simple legal clauses to protect data. Data encryption, or pseudonymisation, for instance, might provide effective additional protection. Article 49 derogations might provide specific legal instances on which to transfer data, but assessing and documenting those will potentially be very time-consuming.

Schrems II does, I think, kill the idea that some form of adequacy sticking plaster will cover the substantial gap between the legal environment in the two jurisdictions. So I think the solution will have to be in a patchwork combination of enhanced data protection, the selective use of Article 49 derogations, and the re-examination of data flows  – to ensure that only that data that genuinely needs to be transferred to the US is actually transferred. Global web platforms will have to accelerate containerization of data, so that EU data is held in the EU and accessible only from the EU; all exporters will have to look carefully at the basis on which they are exporting personal data – and not only to the US.

Schrems II has implications far wider than the EU-US Privacy Shield. The obligation to ensure data transferred by means of an SCC impacts ALL data transfers, to ALL jurisdictions. I can’t, for instance, imagine how any flows of personal data to China or Russia can possibly continue! And, finally, I think Schrems II contains a warning for the UK: if we want to get an adequacy decision to protect EU-UK data flows beyond 31 December 2020, we need to ensure that we keep to the straight and narrow in terms of continuing to provide an EU-equivalent legal protection for the data of EU residents.