The Schrems II Case is an Extra Nail in the EU Coffin

As everybody in the Data Protection sector knows, the Court of Justice of the European Union invalidated the Privacy Shield adequacy mechanism for personal data export from European Union to United States data controllers and processors. The Court didn't invalidate the other transfer mechanisms such as Standard Contractual Clauses and Binding Corporate Rules but mentioned something extremely important:

Standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country. 

So basically the whole responsibility falls now on the data controllers. But since the CJUE invalidated Privacy Shield due to US legal issues, the same legal issues must be taken now into consideration by data controllers. Berlin Data Protection Authority interpreted the CJUE decision as a ban of most personal data transfers to US, effective immediately.

The question is what happens now as the CJUE decision is now in effect and it should be applied immediately. Well, as anyone can see, NOTHING HAPPENS. Personal data transfers to US are still taking place at the same level while data protection authorities and data protection experts scrambled to find solutions. NOYB where Mr Schrems activates issued a guidance and a FAQ for data controllers, but they do not represent legally binding documents or official opinions of EU authorities or EU Member States authorities.

Everybody agrees that a full stop of EU personal data transfers to US would make the whole EU economy crumble, and in these troubled times when everybody is focused on keeping economies afloat no-one wants to do this. At the same time we have a CJEU decision effective immediately.

And that's the big problem with the European Union construction and modus operandi. EU institutions are perceived as weak, inefficient, bloated. Their decisions are many times ignored or overlooked by member states and by other EU institutions as well. Just take a look at how European Union Commission changed it's position related to the rule of law conditionality for EU funds access. Initially the messages had a very strong line - no EU country having rule of law issues would have been able to access EU funds. Now all EU countries received huge budgets to counter the economical effects of the COVID-19 pandemic.

A state is strong as long as it's institutions are strong. At this moment a CJEU decision is being ignored by companies, EU authorities and EU Member States authorities. A CJEU decision must be enforced and enforcement mechanisms should be available. Even if economies are severely affected by such a decision! That's how democracies work and that's what separation of powers mean. EU is requesting EU Member States to abide to the rule of law but the rule of law cannot be applied by the Supreme Court of the European Union.

Throughout the European Union Member States, Data Protection Authorities are weak. Their enforcement mechanisms are efficient only against small data controllers - nothing affected the practices of big Ad Tech players, cloud players, big data players. There are supervisory authorities decisions being ignored completely by companies like Google (there is an interesting case where the Romanian Data Protection Authority requested Google to delete some personal data and Google fully ignored them; available in the 2018 report). Remember when Berlin Data Protection Authority issued a set of mandatory questions for Facebook Pages Administrators? And they said that they will start auditing Facebook Pages? What happened? Nothing...

Each one of these decisions that cannot be enforced bring an extra nail in the coffin of European Union. EU must strengthen it's institutions and enforcement mechanisms. Now.