European Parliament asks European Commission for guidance post-Schrems II
Where next for Schrems II?
Or rather, how will the European Commission (Commission) respond to the European Parliament’s call for guidance following the CJEU decision in Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (Case C-311/18)?
The key takeaway
The European Parliament has passed a resolution calling on the Commission to issue guidelines on how to make data transfers compliant with recent CJEU case law and the European Data Protection Board’s (EDPB) decisions.
The decision in Schrems II was yet another blow for the legal framework surrounding international data transfers. In the decision, the CJEU invalidated the Commission’s adequacy decision for the EU-US Privacy Shield Framework, which was used by over 5,000 companies to conduct data transfers between the EU and US. The decision also cast doubt over other personal data transfers between the EU and US due to the US government’s access to private sector data.
Since the decision, the Commission has recently incorporated changes into documents such as the new Standard Contractual Clauses to consider the impact of the decision. However, MEPs have requested further guidance in several areas, including on the implementation of guidance from the EDPB.
The European Parliament has called on the Commission to incorporate the EDPB’s recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. It has asked the Commission not to conclude new adequacy decisions with third countries without considering the implications of CJEU rulings and ensuring full General Data Protection Regulation (GDPR) compliance. In addition, MEPs have called for data storage capabilities to be developed within Europe to achieve true autonomy in data management through additional investment.
The Commission had expressed disappointment with the Irish Data Protection Commissioner (IDPC) because of its decision to initiate a civil claim in Schrems II, rather than independently triggering enforcement procedures based on GDPR rules. MEPs also criticised the IDPC’s long processing times and called for infringement proceedings to be issued against it.
Finally, MEPs have asked EU Member States to stop transfers of data that could be accessed in bulk in the US if the Commission reaches an adequacy decision regarding the US.
Why is this important?
The ball is now in the Commission’s court to issue guidance on how best to manage data transfers and enforcement in a post-Schrems II world.
Data transfers to the US remain under significant scrutiny with a strong desire to avoid any adequacy decisions based on a system of self-certification (such as the Safe Harbour and Privacy Shield frameworks). One rapporteur stated that the Commission could not afford to repeat the mistakes of the past and bear witness to a possible “Schrems III” case. It is particularly concerned with the use of mass surveillance technologies in the US and compliance with EU law, which puts the spotlight on the Biden administration’s approach to privacy and national security over the coming months and years.
Any practical tips?
Keep looking to include terms within your agreements to anticipate additional measures flowing from Schrems II. Above all, keep an eye out for further announcements by the Commission on its forthcoming guidelines and how best to ensure compliance with international data transfers.