John Miller photo
Schrems II: A Moment for Calm, and Action

By now, the world – or at least those who care about privacy and appreciate the importance of international data flows, which is just about everyone I deal with – is aware the Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield in the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II) case yesterday.

Most are also aware that, at the top line, Standard Contractual Clauses (SCCs) remain a valid transfer mechanism under the court’s ruling and the General Data Protection Regulation (GDPR). The continuing availability of SCCs as a data transfer mechanism for businesses around the world post-Schrems II provides critical continuity and stability of business operations and is a reminder this is a moment for calm and careful consideration of next steps, as many, including several ITI members have pointed out. (See here and here.) That leaders from the U.S. Commerce Department and European Commission have sounded a similarly constructive tone and already signaled a desire to quickly come to the table to hammer out a solution to the invalidated Privacy Shield is another positive sign. The European Data Protection Board’s measured statement and commitment to issue further clarification and guidance to stakeholders struggling to interpret the complex and nuanced decision is another welcome development.

However – policymakers and those in the business, privacy and other interested communities should not be lulled by this moment of calm into inaction. We also should not overlook the fact that the root causes cited by the court in invalidating Privacy Shield – and the EU-U.S. Safe Harbor before it – remain largely unchanged, and that any fair reading of the CJEU decision suggests that SCCs, too, could meet a similar fate.

The foregoing statement is not a hypothesis or idle speculation. The court’s decision plainly indicates both that the parties to SCCs as well as DPAs are obligated to assess whether the laws of third countries provide an adequate level of protection regarding potential government access to personal data transferred pursuant to SCCs or other transfer mechanisms. The court’s decision also expressed the view that, in its judgment, the U.S. system lacks the individual redress and proportionality with respect to its surveillance authorities to meet this standard.

Now is not the time to quibble with the court’s analysis of the proportionality of U.S. surveillance activities and the redress mechanisms available to EU citizens – there will be time for that later. But it is also not a time to ignore what the court plainly stated with regard to the long-time viability of SCCs – as leading privacy scholars, lawyers and DPAs alike have all pointed out.

The court’s clear direction and these sober analyses of the decision should not, however, signal that it is a time to panic - but rather that it is a time for action. Importantly, the court’s validation of SCCs as a viable data transfer mechanism, despite flashing warning signs for those and other safeguards, gives us time to get to work on crafting a more durable solution than Privacy Shield proved to be - and that we now know will be necessary to support SCCs longer term.

What will such a solution entail? A more durable framework will need to protect the rights to privacy and redress rights at the heart of this case, acknowledge the essential need for businesses to have transparent, reliable mechanisms to transfer data across borders, and more fully address the underlying questions cited by the court regarding government surveillance practices – not just in the U.S., but around the globe, including in the EU member states themselves.

Achieving this goal will not be easy. Success will require a global conversation and the concerted effort of all impacted stakeholders, including the tech industry and policymakers who aren’t usually on the front lines of this debate, to get it done. A day after Schrems II, we don’t yet have the answers, but we do have a new rallying cry – keep calm, keep the data flowing, and get to work on forging a more durable global solution that adequately preserves both fundamental rights and international data flows.