Exchanges of personal data after the Schrems II judgment

Delighted to see the European Parliament has published our new study on Exchanges of personal data after the Schrems II judgment after several months of research. Our key findings are below, but there is a wealth of information in the 120 pages of the report! Please do look at the full document, which also contains an executive summary.

Our analysis shows that no US federal or state privacy law is likely to provide “essentially equivalent” protection compared to the EU GDPR in the foreseeable future. Indeed, there are serious and in practice insurmountable US constitutional and institutional as well as practical/political obstacles to the adoption of such laws.

The EU should immediately identify stop-gap measures such as audits, logs and reporting mechanisms that can possibly be used to allow some transfers of non-sensitive data – but also identify categories of data (and/or of controllers and processors or contexts) in relation to which these will not suffice. The European Parliament should ask the EDPB to address these matters in yet further guidance on EU–US data transfers, drawing on the work of the Commission in relation to the Digital Services Act and the Digital Markets Act.

In the medium term, legal academics and civil society groups are clear federal surveillance legislative reform will be required to provide EU data subjects with “an effective remedy before…an independent and impartial tribunal” relating to personal data transferred to the US, as required by the Charter of Fundamental Rights. Complainants would need standing to obtain judicial review from the Foreign Intelligence Surveillance Court.

Presidential action and legislative reform will also be required to ensure the necessity and proportionality of US surveillance of data transferred under any adequacy finding. US civil society groups have recommended limiting bulk collection; narrowing the definition of foreign intelligence information and setting stronger standards to justify surveillance targets; reducing the default retention period for collected information from five years to three; and increasing transparency about surveillance activities.

Finally, reform of the FTC Act will be required to enable effective enforcement of self-certified compliance by US data controllers with the full GDPR, including strengthening private rights of action.

If (i) the US and the EU were to take the legislative steps we outline relating to substance, enforcement and individuals’ rights of action and (ii) the US were to reform its surveillance laws and practices, then a new EU-US arrangement for self-certification by US entities could be achieved. Without these reforms, EU data protection authorities will be required to consider suspending transfers of personal data to the US even following an adequacy decision by the European Commission.

The EU institutions should stand up for the rule of law and demand both the Member States and third countries bring their intelligence practices and domestic law frameworks fully in line with international human rights law. A pragmatic starting point would be the development and ratification of a “minilateral” treaty covering intelligence activities of, in particular, the 30 EU/EEA states and the “Five Eyes” countries (USA, UK, Australia, Canada and New Zealand). While full ratification might take several years, these states should much sooner come to an informal agreement against “spying on allies”.