No quick fix for transatlantic data transfers, says EC

Europe’s justice commissioner has conceded there will be “no quick fix” for EU-US data transfers in the wake of the decision by the region’s top court in July that struck down a flagship data transfer agreement which was being used by thousands of businesses.

Despite the ‘Schrems II’ judgement being the second such CJEU strike in around five years, commissioners from the EU’s executive body and US counterparts in the U.S. Department of Commerce announced last month that they had begun discussions on a potential replacement for the now defunct EU-US Privacy Shield.

Justice commissioner, Didier Reynders, said today that talks on an ‘enhanced framework’ are continuing but he admitted there’s no fast track fix for the schism between Europeans’ fundamental rights and US surveillance law.

“There is a common willingness to fully comply with the judgement of the court — on both sides we want to find ways in which to address the issues raised by the court,” said Didier Reynders. “We will intensify our engagement with the US in the coming weeks but we also have to recognize that the judgement raises complex issues related to the sensitive area of national security. Therefore there will be no quick fix.”

He went on to suggest that changes to US law may be needed for any Privacy Shield 2 to be possible — giving the example of the lack of a redress mechanism for EU citizens as an area where legislation may be needed — before emphasizing that any such legislative change would clearly take time (he noted, for example, that the US election is looming — which bakes natural delay into any such timeline).

“We are working with the US counterparts to evaluate the possibility of a strengthened framework — and of course it’s possible to build on existing elements but of course it’s maybe also a necessity to have legislative changes,” he said. “That’s the real question that we have with the US authorities. And that will of course have an impact on the time needed to put in place a new framework.

“It’s a real political debate; it’s not just a technical issue. And if we look at the domestic developments and debates in the US around privacy at the state and federal level but also limitation for intelligence service program there are probably more common grounds to find viable solutions than when the Privacy Shield was negotiated. You have also seen that the reaction of US authorities were constructive; they want to explore where to address the issues raised by the judgement but again sometimes, on the base of actual elements, there is maybe some legislative changes [required].”

“What we need are sustainable solutions that deliver legal certainty in full compliance with the judgement of the court,” he added. “That is also the message I have clearly passed to my EU counterparts and on which I will keep insisting.”

Reynders was speaking to the EU Parliament’s civil liberties (LIBE) committee, which was holding a hearing into the implications of the Court of Justice of the EU (CJEU) invalidating the EU-US Privacy Shield — aka the Schrems II ruling.

The chair of the European Data Protection Board (EDPB), Andrea Jelinek, had also been invited to speak, alongside Max Schrems himself, the European privacy campaigner who now has two successful strikes against EU-US data transfer mechanisms — after the CJEU invalidated Safe Harbor in 2015 and the EU-US Privacy Shield this July following his complaints. 

The discussion delved into the implications of the CJEU ruling for an alternative data transfer mechanism called Standard Contractual Clauses (SCCs) which were not invalidated by the court, even as their use for US data transfers is now larded with legal risk as a result of US surveillance overreach.

Reynders told the committee the Commission is continuing its work on modernizing SCCs to bring them into line with the EU’s General Data Protection Regulation (GDPR) framework — saying it will produce a draft version this month and is aiming to complete the process before the end of the year.

“Now that the judgement has been assured we will of course preserve the elements of the existing SCCs that have led to the court to find them valid. At the same time we will try to reflect and operationalize in all texts the additional clarification provided by the court on the conditions under which SCCs can be used — taking also fully into account the guidance issued by the EDPB that it should help companies in their compliance effort,” he added. “But of course we need to see what kind of more longer term evolution in the US [law there might be].”

Reynders said the same the issues around data transfers will arise with the UK, post Brexit — as it seeks an adequacy agreement and the Commission will have to assess its domestic laws, including infamously draconian surveillance laws — and with other third countries like China where there’s no adequacy agreement in place (nor any prospect of a finding of privacy protections that are essentially equivalent to those in the EU).

“We want to stay open to those that apply the rules,” he added.

Jelinek said the EDPB has just set up a taskforce to work on around 100 strategic complaints filed last month by Schrems’ digital rights group, noyb, that target EU-based entities across the region which are using SCCs for data transfers for Google Analytics and/or Facebook Connect integrations.

noyb argues there’s no legal basis for those transfers and that DPAs should step in and suspend them.

“We are going to work not only close together but closer together than we’ve ever done [with EU data protection authorities] to solve this issue,” said Jelinek. “We will analyze the matter and ensure that we will go together in the same direction.”

Enforcement of EU data protection law is both a duty for supervisory authorities and “a matter of credibility”, she added. “You can be sure we are investigating all together within the taskforce but again I have to tell you that enforcement… is a matter of the national supervisory authorities. Each and every supervisory authority has to enforce in their own country those complaints which are ruled with them.”

The prospect of any enforcement of Schrems’ original SCC complaint to the Irish DPC — filed some seven years ago at this point — is still a distant one, according to what he told the committee.

“Enforcement is going to be a matter of credibility,” he said. “So far the understanding is that there will be no enforcement — or no serious enforcement — that’s also the reason we have filed a couple of complaints already to make sure that there’s some movement. And I think there needs to be some kind of highlight cases where the industry feels there’s a feeling where they actually have to comply with all of this.

“I also want to throw in real short that we got a letter this week that I cannot disclose yet from the Irish data protection regulator informing us that, defacto, they will probably not pursue this case that is ongoing for seven years for the next, I would assume one or two years… We’re very sorry to see that the regulator in Ireland, despite being under a court order that they have to enforce this judgement is apparently choosing not to do so.”

We reached out to the Irish DPC for a response to Schrems’ remarks and it told us he is “wrong” in that supposition but at the time of writing the regulator had not provided any further comment. We’ll update this report if we get more. Update: Deputy commissioner, Graham Doyle, told us:

You have asked the DPC for a comment on Mr Schrem’s statement to the Libé committee of the European Parliament that he has received confidential correspondence from the DPC to the effect that it does not intend to follow the CJEU judgement and that it will be doing nothing for two to three years.

Firstly, the DPC is surprised that correspondence expressed to be confidential has been the subject of public comment and now media queries arising from those comments by Mr Schrems. Because of the confidential nature of the correspondence and the reasons underpinning its confidentiality, the DPC is not in a position to make any extensive statement.

However, the DPC can state that the comments with regard to content of the letter are inaccurate and are likely to mislead as to the nature of the correspondence. There is no reference to any number of years in the letter and to the extent any timeframes are referenced, they are in the order of days. At the point where the DPC is in a position to comment and outline fully details of the actions it is taking, we will be in further touch

Schrems was withering is his view of the Irish DPC’s record, telling the committee that its handling of his complaint was not a pro-privacy case but a “pro-delay case”.

“We have already said at the beginning that this case could have been done by the DPC itself. And we now get back to exactly the problems we have outlined five years’ ago — that the DPC is now working on again.” he said.

“The bottom line is probably there’s not going to be a decision within the next two or three years — if they continue like that. Which means the original complaint I filed after Snowden will probably take up to ten years to get a first instance decision. Then we’ll have three layers of appeals in Ireland. So I’m probably going to be retired once this case is actually finally decided! I’m going to be grey and old and that’s not how fundamental rights in Europe should work — and I think we really have to work on that.”