Unspoken truths about Schrems II
One of the most remarkable things about the Schrems II decision has been the truly deafening amount of noise it has generated. Some have boldly claimed that transfers of data from the EU to the US are now illegal. This has led to further claims that the only solution is for the US radically to change its legal framework or that all European personal data should just be kept in Europe. Others have responded that such an approach only reveals the hypocrisy of ignoring the extent of government access to data in Europe. Many more have said that since this is a political problem, it is unfeasible for any organisation involved in data transfers to come up with a solution and therefore, it is outside their control. Meantime, vociferous legal complaints have contributed to a climate of anxiety that threatens to cripple data globalisation as we know it.
It is important therefore to uncover some truths about the Court of Justice of the European Union’s (CJEU) decision which seem lost amid all this noise. First of all, this decision has exposed once again the natural and constant tension between the protection of privacy and the need for the state to access personal data to perform its functions. Law enforcement, taxation, public health and national security are all dependent on the access to and use of personal data. In Europe and many other parts of the world, it is paramount that any such data activities by the state do not breach democratic principles and individuals’ rights. Every instance of government access to data creates a risk, so what the CJEU is saying is that when European data becomes available to foreign states, we must remain vigilant about this risk and take steps to ensure that the democratic balance is not lost. This is not radical political grandstanding, but a court doing its job.
At a more mundane, data protection-specific level, the CJEU also reminds us that the limitations on international data transfers are simply intended to ensure the continuity of the level of protection established by the European framework. This raises the issue of whether those limitations are even relevant given the powerful extraterritorial reach of the GDPR. In other words, the applicability of the GDPR far beyond the boundaries of the EU means that, at least in principle, the level of protection provided by this framework will be extended to data processing activities taking place in other jurisdictions. However, in judging what an ‘adequate level of protection’ means, the CJEU goes much further and essentially gives extraterritorial application to the Charter of Fundamental Rights of the European Union. This sets a very high bar for other jurisdictions to reach.
Understandably, some have seen this as an impossible task for them to undertake. How can anyone make an assessment of the world’s public authorities’ powers and take a view on their level of interference with the rights to privacy and data protection? Is it even possible to identify the additional safeguards that could compensate for an excessive degree of interference? More specifically, how can two parties to a data transfer agreement possibly question a government’s binding request for access to data? These are difficult questions that the CJEU has thrown to those involved in global data flows, but their answers may not be as problematic as we think. Disproportionate access to data by governments is not just a European concern. It is a universal challenge and the measures to tackle this challenge are also universal. Contractual provisions that restrict the way in which access to personal data may be granted and measures that render personal data transferred inaccessible in practice or that apply when disclosing that data to third parties are commonly used throughout the world.
So next time you hear that Schrems II is too radical, and too difficult to implement or comply with, think about what is possible. What can you possibly do to make something that sounds disproportionate, proportionate? What steps would you take to challenge someone who may be overstepping their powers? The CJEU is not looking for heroic actions. The same is true of the European data protection authorities. They are looking for a balanced approach to doing business globally that is mindful of democratic principles, questions possible abuses of power and respects the right to data protection.
This article was first published in Data Protection Leader in September 2020.
Avocat à la Cour / Data Protection Officer
4 年Yet another quality analysis that I have come to appreciate over the years from Eduardo.
Global privacy professional
4 年"However, in judging what an ‘adequate level of protection’ means, the CJEU goes much further and essentially gives extraterritorial application to the Charter of Fundamental Rights of the European Union." - This is a big stretch and unfounded. GDPR itself refers explicitly to the Charter (see recitals 1 and 4, for example). Hence, it is not CJEU that gives 'extraterritorial' application of the Charter, but a matter of this being embedded in GDPR itself?
General Counsel | Policy I Higher Education I Regulatory Compliance I Crisis Communication I AI Governance
4 年Very insightful, thank you!
Founder, Principal at Lucid Privacy Group
4 年So at a product level: data minimization as a first principle, potentially encryption or obfuscation where appropriate. Contractually: requiring these product level precautions. Potentially introduce transparency obligation (public?). You can't refuse the government when receiving a lawful request, but perhaps you can disclose (some forms) of governmental access.