No to a ‘Schrems III’ ruling! On Thursday 3 September, the watchword was clear in the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, where a two-hour debate was devoted to the fallout from the Court of Justice’s ruling of 16 July (C-311/18).
Since that date, the transfer of personal data between Europe and the United States has been in limbo, with the immediate invalidation of the framework agreement between the two parties, the Privacy Shield (see EUROPE 12529/2).
In its judgment, the Court found that Europeans’ personal data were not sufficiently protected against the US surveillance programme and that they did not have sufficient remedies.
Updating of standard contractual clauses
Speaking to MEPs, Commissioner for Justice Didier Reynders said he was currently working to find a lasting solution. He recalled that he was in close contact with data protection authorities, the European Data Protection Board (EDPB) and his US counterpart. He also announced that the Commission would circulate, as early as this month, a first draft of the new standard contractual clauses, which have been in preparation for many months. According to him, the finalisation phase will take place by the end of the year, once the EDPB has given his opinion and the Member States have decided by comitology.
The Court did not overturn the 2010 decision on standard contractual clauses, but it did specify that they must be evaluated in the specific context in which they are used.
“The standard contractual clauses cannot legally support the data transfer, if the recipient is unable to comply with them and if no additional measures are available to compensate”, EDPB President Andrea Jelinek clarified to MEPs. She recalled that the Committee had already published a first analysis of the judgment and that it was about to “publish recommendations to help supervisors identify and implement appropriate complementary measures” (see EUROPE 12536/9).
Mr Reynders explained that the modernisation would take into account the new criteria of the General Data Protection Regulation (GDPR), in particular as regards the relationship between the body processing the data and the supervisor, the obligations of that body, or the transparency obligations of the data importer. This modernisation will also address situations of transfers not covered by the current standard contractual clauses (from a European body to a European sub-jurisdiction). Finally, it will attempt to better reflect the reality of the treatment.
A geopolitical response
During the exchange of views, many MEPs, supported by the lawyer behind the case, said that a purely technical solution would not be sufficient.
“There is no room for an executive agreement if on the legislative level, we simply have two obligations”, said Max Schrems, recalling that he had already filed 101 complaints about ongoing, illegal, transatlantic transfers (see EUROPE 12545/3).
The European Commissioner, too, acknowledged that this was a political discussion with the Americans. “It is possible to build on existing elements, but there may be a need for legislative changes”, he said, stressing, however, that there is a more positive climate in the US today than there was in 2016 when Privacy Shield was established.
For his part, Mr Schrems called for short-term clarifications on the exemptions offered by Article 49 of the GDPR as well as clarification from the Americans on their Foreign Intelligence Surveillance Act (FISA). In the longer term, a common vision of the scope of surveillance and a change in US law is required, he said.
The Austrian lawyer also discussed several avenues in detail, such as the idea of having the GDPR directly enforced by the body processing the data or the possibility of being informed when monitoring applies. On standard contractual clauses, he suggested the creation of European self-certification, which he said would be “technically easier and as strong legally” as US self-certification. (Original version in French by Sophie Petitjean)