Schrems II decision: How to break the deadlock?

A lasting period of legal uncertainty

In its so-called “Schrems II” decision on 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the agreement that framed transatlantic data transfers – the Privacy Shield. The Court found that this agreement did not provide sufficient guarantees to protect the personal data of European citizens. Thus, many European actors entered a period of uncertainty and legal insecurity.

Not only does this decision not give actors a grace period to analyse it and take appropriate action, if necessary. It is also retroactive. Beyond future international data transfers, the compliance of all transfers operated under the Privacy Shield since 2016 must therefore be reassessed, calling into question a multitude of current contracts. In the wake of this ruling, a wave of initial complaints has been filed, including several against French companies. All this at the same time as the European Commission was working on updating standard contractual clauses (SCCs) – the tools available for actors to regulate these international transfers – a process that was due to be finalised shortly.

A strict interpretation by the regulators that weighs on the actors

Following this decision, the European Data Protection Board (EDPB), which brings together national data protection authorities, published a series of recommendations in order to guarantee the level of personal data protection in the European Union (EU), in the framework of international data transfers. 

While it is important to welcome an EU-wide process that ensures the harmonisation of the regional framework (at a time when national authorities are receiving multiple complaints throughout Europe), these recommendations appear difficult to implement. More specifically, the EDPB uses extremely strict criteria, which come up against the reality of the European national frameworks – very few countries meet the requirements set by the European board, including Member States such as France.

A decision that goes beyond the sphere of personal data rights

Beyond their strict character, these recommendations seem to omit the essential principle of norm hierarchy, a foundation of our law systems. The Schrems II decision creates a conflict of sovereignty between States, whereby governments’ access to data is put into question when this data is protected by other rights. This decision also raises the question of the balance between fundamental rights, notably between surveillance and privacy laws. The balance between security and freedom cannot be arbitrated via the General Data Protection Regulation (GDPR). Such an arbitration must be based on a compliance assessment vis-à-vis the European Convention on Human Rights (ECHR).

This balance is all the more questionable at a time when approaches to national security diverge between European states, and when legislative initiatives to regulate public authority access to encrypted data are multiplying across the EU. The interpretation of this decision goes beyond the sole expertise of data protection authorities, who are neither constitutionalists nor anti-terrorism specialists.  As such, the decision of the Court of Justice of the European Union offers room for manoeuvre to ensure this balance and its applicability. 

A “method of grace” in the absence of a period of grace?

Renaissance Numérique calls to set the conditions for a “method of grace” shared by all actors concerned: a proportionate approach, based on the diligence of the actors and risk analysis. This approach would propose operational requirements and reduce the risk of hasty sanctions until the European doctrine and the tools (the modified SCCs) are stabilised and come into force.

The CJEU’s decision is not binary and offers a range of contextualisation to analyse data transfers on a case by case basis. Among others, this methodology should take into account the sensitivity of the data transferred, the presence of a sovereign surveillance purpose on certain data, the inadequacy of certain technical measures or the complexity of processing chains, etc. This intermediate step would make it possible to avoid a deadlock while waiting for a new solid international agreement. 

In time, the situation will not resolve unless another agreement with the United States, in respect of the Court’s decision, is signed. In the meantime, regulators and companies keep rejecting the responsibility to take action on one another, and actors risk being continuously jeopardised by this lasting uncertainty. Renaissance Numérique calls on the European Commission and Europe’s executive power to open a dialogue with all stakeholders, in order to deliver a coordinated enforcement of the decision issued by the Court of Justice of the European Union. This dialogue should allow European authorities to gather all relevant expertise, beyond the sole data protection sphere, for instance experts of international and constitutional law or security issues, and to define standards in accordance with our values.