European Parliament hearing on Schrems II

Justice Commissioner @dreynders: I have three priorities. 1/ we must ensure compliance with the ruling of Europe’s highest court. That is my personal responsibility. 2/ Companies must be able to rely on solid and predictable mechanisms, to transfer data to many destinations in the world. 3/ We will work closely with DPAs.

The Commission is focusing on 1/ DPA guidance on compliance — as highlighted by the Court. We worked closely with EDPB on its first set of guidance addressing most urgent questions. This was particularly important to build a common understanding. Must be practical, with examples.

2/ Modernisation of #SCCs, as mentioned in June report on two years of #GDPR. We will include the Court’s additional clarifications. They are v useful for SMEs which do not have the resources and expertise to negotiate individual contracts with each commercial partner abroad. We intend to launch adoption process in coming months, and finalise by the end of this year, following Opinion from EDPB and MS approval.

3/ Discussions with US will intensify in coming weeks. But we must recognise the judgment raises complex sensitive issues, so no quick fix.

Important also for review of existing adequacy decisions, and negotiations with S Korea and the UK. We are of course fully taking into account the requirements set by the #SchremsII judgment. This work is all part of a broader approach.

The Commission sees data protection law global convergence as more important than ever, based on binding rules and effective enforcement. This would allow the EU to have an open but assertive international approach, based on its values and strategic interest. Two recent examples: Brazil’s GDPR-like law, and S Korea creating a fully independent DPA with strong enforcement powers. This is a central component of the EU DP model, and one of the main reasons for its success in inspiring other systems around the world – a high level of DP with openness to data flow and cooperation

@EU_EDPB chair Andrea Jelinek: the #SchremsII judgment echoed some of our concerns with #PrivacyShield, such as a lack of oversight and substance. We are currently preparing additional support for controllers and processors on identifying and implementing appropriate measures.

The CJEU #EssentialEquivalence test applies to *all* mechanisms for personal data transfers. The judgment did not invalidate the Commission decision on SCCs but emphasised they must be assessed in the specific context they are used. If in practice the recipient of data cannot comply…

Article 49 transfer derogations can only be applied on a case by case basis. The responsibility is primarily the data controller’s to assess, and must consider the legal regime applicable in the third country including govt scope to access personal data.

EDPB will ensure consistency across the EEA. First, we will update existing EDPB documents on data transfers and second, prepare recommendations to support controllers and processors in implementing appropriate measures for transfer. But there cannot be a one size fits all solution.

The EDPB stands ready to support the Commission to work with the US to develop a new agreement fully in line with the judgment of the Court. I thank the LIBE committee for the support you grant the DPAs, which need adequate resources and institutional support to fulfil role

LIBE Chair: Not for the first time before LIBE… @maxschrems ?

We need a long-lasting, stable solution, not a privacy umbrella or “Safe Harbour 3.” We have a fundamental clash of laws between EU and US FISA 702 (and EO 12333). There is no room for another treaty to overcome the problem, unless we change CFR, or US changes surveillance laws.

After @Snowden new protections were introduced for US citizens. So after November, there is some scope for further US reform. European law should win here, after all. #SCCs only saved as you’re not allowed to use them in situations where there is a US surveillance law.

We are talking about US electronic communications surveillance providers, under FISA s.702, eg big cloud providers. Doesn’t apply to ALL US companies. There are so-called supplementary measures. Good encryption could possibly overcome EO 12333/international cable spying, but not US company access.

Supplementary contractual measures could perhaps help with EO 12333, saying there’s a huge penalty if you voluntarily hand over data to the US govt. But not with companies under FISA s.702, which is the bulk of data sent to the US.

Many US companies plan to simply ignore the Court of Justice ruling, as they do not believe DPAs will go after them anyway. For smaller companies, they mainly don’t know what to do. Facebook has sent a letter saying they will continue transferring data.

It would be helpful for European Parliament to provide guidance in a resolution. We need clarification under #GDPR s.49. FB is claiming its processing is “necessary for contract” and the judgment is irrelevant. EC must push US to clarify if FISA s.702 covers server farms of US companies in Europe.

In the long term we must come to the conclusion within the democracies we must respect each others’ fundamental rights as citizenship. This clearly won’t work with Trump. But if the US wants to be the cloud provider to the world, we must have privacy and security guarantees.

IB: Committee chair is despairing that the CFR is not being fully enforced by the EU institutions. I think he means you, Data Protection Authorities (esp. @DPCIreland), and @EU_Commission ??‍♂️

For EPP, @AxelVossMdEP: we need legal certainty for businesses, especially SMEs. We must avoid fragmentation within the EU, and seek a workable basis. #SCCs not always appropriate. It’s not possible to question basic principles every four years. LIBE conclusions will depend on the way national security is managed in third countries. How will we deal with China in this context? (IB: that’s easy!) Is there any potential scope for getting movement from the US limiting the data accessed? Is there some possibility of setting up an authority on their side? These are questions I ask.

I cannot see a solution in the form of a new adequacy ruling. Which additional measures exactly would be needed beyond #SCCs?

For S&D, @paultang: the credibility of the COM is at stake. How will it ensure we don’t run into this problem again? We hear the enforcement is a problem. I would like to hear how the EDPB will ensure the law is enforced? And with a hard Brexit, what does this imply? (IB: #adequacyLoL)

For Renew, @SophieintVeld: Mr Schrems is fortunately a very stubborn and conscientious citizen, who has defended citizens’ rights more than all the DPAs and the Commission put together. They have failed twice. They cannot fail a third time. There should not be a Schrems III.

Whenever there is a big political problem for the EU, we get scared, and throw rules at it. But if the problem is political, the solution cannot be technocratic. This is not a legal, technical or DP problem. It is a geopolitical problem. Our relationship with the US.

We cannot expect @dreynders to solve this. It is for the whole EU. We have watched with growing concern the extreme weakness and reluctance of the DPAs to enforce the #GDPR, or the Commission to tackle this issue. We knew Safe Harbour and Privacy Shield were unsound.

I expect not just @EU_Commission to come up with a watertight solution, but the DPAs to finally do their duty. My rights as a citizen should not depend on companies’ ability to assess American secret services.

For GUE/Left. C Daley MEP: blanket data retention is unlawful. Over and over again. What is the @EU_Commission going to do? DPAs are under resource pressure. I do have confidence in @DPCIreland, which took the High Court proceedings in Ireland, and were the ones that referred this case

Justice Commissioner, @dreynders: of course this is a political discussion we have with the US. The judgment provides some indications of how it could be addressed, for example a strengthened framework for redress, built on existing elements, but may be also a necessity for legislative change.

US state and federal discussions, and limitations of intelligence services, have advanced — there is more common ground than at the time Privacy Shield was negotiated. The q also is how it’s possible to give a certain level of certainty to companies.

It’s still possible to use #SCCs across the Atlantic (IB: rubbish!) but we are continuing to modernise the clauses, working with the EDPB and national authorities. And it’s true with UK an #adequacyLoL decision must take account of #SchremsII. (IB: no chance!)

The Commission said in its two-year GDPR review it’s v important Member States give appropriate financial and human resources to DPAs, which depends on the size of the companies in the MSes (Ireland!) The US authorities are in the best place to analyse their own legislation and see what’s needed.

EDPB chair Andrea Jelinek: yesterday the EDPB created a task force to look at NOYB’s 101 complaints (two are now withdrawn). We will work closer together than ever to solve this issue. You can be sure we are investigating all together. But enforcement is a matter of the national DPAs. We have the one-stop shop mechanism to coordinate.

I reassure you again we are working closely together and very hard to succeed in protecting EU citizens’ rights. And this is not only a problem of DP. It is a geopolitical problem. We should come together to see if the Western world has a common understanding about DP and rights

Schrems: Legal certainty is essential. SMEs are unable to do this. This is a problem of the GDPR itself as it focuses so much on the controllers. Small German SMEs cannot control Google. It should be enforced against processors directly.

Two possible US law changes. 1/ Delayed notice of surveillance, giving standing, which is a big problem. 2/ Need equal protections as US citizens have. Not too much to ask in the negotiations. US multinationals have options, eg to split processing operations, in EU without access from US parent.

This will happen if these industry players get the feeling this is essential to continue doing business in Europe. The processors hold the power here.

It’s obviously impossible for even large EU companies to properly assess US law.

They need help from the DPAs, even if it is not formally their responsibility. Also: could EU companies self-certify in a binding way? Makes it much easier and could be used with any third country. Finally, we’ll have same problem with UK surveillance law.

@DPCIreland has salami-sliced to delay every issue, it’s insanely expensive, also to appeal against them if NOYB loses (so far we always won.) This is why it’s impossible for the average citizen to take action. First decision will take 10 years!

DPC now has 140 people, it’s not a question of lack of resources. NOYB has 6 people and we seem to get more done. You need the right people at the head.

@BirgitSippelMEP: what effective powers does the US Ombudsperson have? If anything goes wrong, EU citizens don’t have the same rights as US citizens. We have transatlantic uncertainty. We do not need a technical “solution” to make it seems there’s no uncertainty.

Even when using #SCCs – how can companies assess adequacy if the Commission cannot? @ThierryBreton says we need European #DataSovereignty. Will the Commission check if this will help? We have to look into overburdening of DPAs, esp. @DPCIreland.

Many European companies use Google Analytics and Facebook Connect. Can the EDPB provide guidance on this to help them?

M Körner MEP: the Commission should say: let’s make privacy great again! Trump is concerned about TikTok. I am more concerned about China as well. Let’s US and EU together as Western countries protect our values of privacy and data protection. We need an EU-US no spy agreement!

The European Parliament will not change the Charter of Fundamental Rights! Please. Facebook. Google. Go and lobby your government and Congress! If you want to operate in the European market, you have to comply with European rules!

Körner: This is the third time we are sitting here. If we can’t change things this is useless!

Pirate MEP @echo_pbreyer: We should be proud of the CJEU! We don’t need unsafe flows of data to third countries. The mass surveillance programmes exposed by @Snowden have been found as excessive, not strictly necessary. So yes @dreynders, which laws are you asking US to change?

CJEU says we need new legislation addressing all executive programmes, and EU citizens need enforceable rights in US courts, and that could be done by a no-spy agreement that gives European citizens the same rights as US citizens. That is needed.

The US has threatened a trade war with Europe if it enforces #SchremsII. If this is what it takes, so be it. –@echo_pbreyer

@dreynders: on #DataSovereignty we are open to all those apply the rules, esp. if we can apply an adequacy decision. (IB: Is he talking to his fellow commissioner @ThierryBreton?)

It’s true there are possible changes with the surveillance process in the US. Certainly there are requests for enforceable rights for EU citizens in the US, we are discussing this. It will take some time in relation to issues due to national security and the elections situation.

Jelinek: every DPA has to face three cases from NOYB regarding Google Analytics and Facebook Connect. We have created an EDPB task force to look into these complaints thoroughly and together << IB: @NOYBeu wouldn’t be forced to file all these if the DPAs were more effective

@maxschrems: #DataSovereignty should be our rules applying, not data geographically in the EU. Data transfers are one of the best ways for the EU to promote its rules, so we should engage with more and more companies to build this globally.

US has more to lose than EU from a trade war. Its IT industry dominates the globe. The EU has an upper hand on these issues. US companies right now aren’t moving much, but we could get them to lobby the US. That requires enforcement on the EU side. China/#TikTok plays into this… with little due process, US can hardly argue EU is violating WTO rules.

It’s not all or nothing enforcement. There could be letters to companies asking about their transfers. You can have a prohibition notice, with 6 months to implement. Then fine.

IB: Well, that was fun! Looking forward to a strong @EP_Justice resolution on these issues, action from the @EU_EDPB and @EU_Commission, and protection at long last for EU citizens’ rights against overbearing US surveillance!